Google Staffers Hit by Breach at Third-Party Booking Firm

Google has been forced to notify some of its employees that their personal and financial details have been breached as a result of an incident affecting a third-party partner.

The web giant sent affected staff a letter late last week confirming that the incident at electronic reservation system firm Sabre earlier in the year impacted Google travel provider Carlson Wagonlit Travel (CWT).

It added:

“CWT has confirmed that one or more of your hotel reservations and the name, contact information, and payment card information associated with the reservation(s) may have been compromised.”

The letter (via Bleeping Computer) continued:

“The unauthorized party was able to access the name, contact information and payment card data associated with certain hotel reservations maintained in the SynXis CRS between August 10, 2016 and March 9, 2017. Sabre’s investigation discovered no evidence that information such as Social Security, passport, and driver’s license numbers were accessed. However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation.”

The incident is yet another example of the complex web of third party partners and providers which can expose even firms with the resources of Google to potential data breaches.

Fred Kneip, CEO of Denver-based CyberGRX, argued the leak shows how tricky it is for firms to know which of these partners poses the biggest cybersecurity risk to their organization.

“A company the size of Google, whose reputation depends in large part on its ability to keep data secure, has thousands of third parties in its digital ecosystem,” he added.

“Attackers are clearly focused on the weakest links within those ecosystems – third parties like HVAC vendors and travel agencies – in order to do real damage.

In one of the biggest breaches ever recorded, US retailer Target was famously attacked in 2013 after hackers compromised an HVAC partner which had lower-grade security in place.

UPDATE: 14/07/2017 - Statement from CWT

CWT was informed by Sabre, that some traveler data had been viewed by an outside party due to a breach of Sabre’s Hospitality Solutions / SynXis Central Reservation system (“SHS”), which provides reservations technology and support to hotels.

SHS is not a CWT technology platform or a solution used by CWT.

CWT has proactively notified potentially impacted customers and encouraged them to visit the Sabre microsite (which includes call center details):

What’s Hot on Infosecurity Magazine?