Sabre Cyber Breach: New Developments

There were new developments regarding the Sabre cyber breach this past week, as the travel industry and the public are learning more about its scope and scale.

To recap, in early May, Sabre, Inc., which provides electronic travel booking services, disclosed that it was investigating “an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through [its] Hospitality Solutions SynXis Central Reservations system.” That system serves 32,000 properties. Sabre stated that it had shut off the unauthorized access and had engaged a security forensics firm to investigate.

This week, Sabre announced that it had concluded its investigation and found that the attackers accessed a subset (less than 15%) of its bookings between August 10, 2016 and March 9, 2017. The intruders were able to access cardholder names, card numbers, expiration dates and possibly card security codes, as well as guest names, emails, phone numbers, addresses and other information in some cases. Sabre said it found no evidence that social security, passport and driver’s license numbers were accessed. However, because SynXis only keeps data for 60 days, and its system was compromised for approximately eight months, it is impossible to determine exactly what data was compromised.

While Sabre did not find evidence of exfiltration of information, it was not able to conclude that none occurred.

Over the past month, Sabre has been sending notices to customers and partners that use SynXis, as well as some travel management companies and travel agencies. It has also engaged a company to provide complimentary consumer notice support for those customer and partners that determine that they should notify their customers.

In turn, some companies that either do business with Sabre, or whose employees may have traveled using SynXis bookings, are sending out notifications. For example, because it uses a travel agency that utilizes SynXis, Google has notified employees who had booked such travel during the relevant period, and has offered them 24 months of free identity protection and credit protection. Other companies, including Loews hotels, are also notifying customers of the breach. It is not clear that those companies have concluded that such notices are mandatory. Whether notification is required may depend not only on the specific state or local law covering any affected individuals, but also on how a company’s employees may have interacted with SABRE/SynXis, e.g. through the company or directly.

The magnitude of the Sabre incident is creating concern across a large number of companies whose employees have been affected, and serves as a reminder that travel companies, like others in e-commerce, remain highly desirable targets for hackers. It may also spur regulators to redouble their efforts to ensure that others in the industry maintain appropriately robust data protection practices.