Growing numbers of hotels have had customer data including bank card and payment details comprised following a cyber security breach at Sabre.
Cyber criminals gained access to the payment details of customers at multiple hotels using Sabre Hospitality Solutions’s SynXis reservations system over the course of seven months up to March this year.
Sabre only became aware of the breach and began to inform the hotels at the beginning of May.
Hospitality groups whose customers’ card data has been compromised include Four Seasons Hotels, Rosewood Hotel Group and Trump Hotels.
Four Seasons said card information “including cardholder name, card number, expiration date and potentially card security code” had been compromised “for certain reservations”.
Bookings direct with the group or any of its 105 properties “were not compromised”.
Rosewood Hotel Group said customers booked through third-parties using Sabre’s SynXis system had data stolen during a four-month period between November 3 and March 9.
It recommended clients “regularly review account statements and monitor free credit reports for any unauthorised activity”.
Sabre announced last week that customers of travel management companies (TMCs) and travel agencies could also have been affected.
However, the full extent of the breach remains unclear.
Sabre first gave notice of the breach at its SynXis Central Reservations system on May 2, saying it was “investigating an unauthorised access to payment information in a subset of hotel reservations”.
The company said it had “notified law enforcement” and engaged a third-party cybersecurity firm to support the investigation.
In an update last week Sabre said it had “notified and been working with” customers and partners using the SynXis system “since June 6”.
The company said it had completed its investigation into the breach, noting: “An unauthorised party accessed certain payment card information for a limited subset of hotel reservations.
“Not all reservations included the payment card security code, a large percentage of bookings were made without a security code. Others were processed using virtual card numbers.
“Personal information such as social security, passport or driver’s license number was not accessed.”
Sabre said it had found no “forensic evidence” of the removal of “any information from the system”, but added “it is a possibility”.
“This incident was limited to a subset of bookings made through the SynXis Hospitality Solutins reservation system and access over a seven-month period from August 2016 to March 2017.
“Not all our SHS customers had reservations that were accessed and for those that did . . . the percentage of reservations accessed varied.”
However, it said: “There is no indication that any other Sabre systems such as Sabre’s Travel Network and Airline Solutions platforms were affected.”
Sabre provides reservations systems for airlines and a global distribution system for travel agents and tour operators.
The company revealed: “Some travel management companies (TMCs) and travel agencies booked travellers who may have been affected although those TMCs and other parties do not use or interact with the SynXis system.”
Sabre said it had “taken measures to ensure this unauthorised access is no longer possible”.
Separately, Intercontinental Hotel Group reported in April that more than 1,200 of its properties had been compromised by malicious software installed at front-desk systems.
Sabre reported another “cybersecurity incident” affecting part of its airline reservations system two years ago, but found no evidence that customer data had been compromised.
A recent data-breach report by Verizon described malware attacks as “absolutely rampant” in the hospitality sector.
Sabre has set up a consumer information site
More: