Sonder confirms data breach, documents and other PII potentially compromised

Written by

Hospitality company Sonder has confirmed a data breach that has potentially compromised guest records.

According to a security update published on Wednesday, November 23, 2022, Sonder learned of unauthorized access to one of its systems on November 14.

“Sonder believes that guest records created prior to October 1, 2021, were involved in this incident,” the company wrote. It added that they have no evidence to indicate that accounts created after November 14, 2022, were involved.

“This suggests the company has improved their security since last October, that, or the attacker managed to access an old backup or copy of the data,” explained Mark Warren, product specialist at Osirium.

“‘Unauthorized access could apply to current staff, someone who left a while ago, a vendor, or an attacker,” Warren told Infosecurity.

The data potentially compromised in the breach reportedly include usernames and encrypted passwords, names, phone numbers, dates of birth, addresses and email addresses.

Certain guest transaction receipts, including the last four digits of credit card numbers and transaction amounts, could have also been compromised, alongside dates booked for stays at Sonder properties.

“Additionally, Sonder believes that copies of government-issued identification such as driver’s licenses or passports may have been accessed for a limited number of guest records,” the company added.

Sonder explained that upon discovering the breach, it took steps to contain it, including ensuring that the unauthorized individual no longer had access to systems and that operations were not affected and investigating the scope of the incident.

The company is also reportedly notifying affected users and appropriate regulatory bodies and has contacted law enforcement.

Warren said companies should learn from data breaches like this and improve their security posture by protecting customer databases (and backups) from attackers, disgruntled staff, and accidental damage. The executive also warned against letting staff have direct access to the credentials used to access those systems.

“Not only does that reduce the risk of access being compromised, but it makes life a lot easier when the company needs to rotate credentials,” Warren added.

“Without that control, changing credentials regularly or making them highly complex becomes too expensive, so many end up taking shortcuts or not updating credentials often enough.”

All in all, Warren believes protection always comes back to the fundamentals.

“Know where the sensitive data and systems are, understand who has access and who really needs it, and ensure that access is only possible through secure channels such as privileged access management.”

The Sonder data breach comes weeks after Shein's holding company Zoetop was fined $1.9m after failing to properly inform customers of a hack that reportedly affected millions of users.

What’s hot on Infosecurity Magazine?