A breach at hospitality reservations giant Sabre Corp may have compromised payment and customer data tied to bookings processed at more than 32,000 hotels around the world.
Sabre’s cloud-based software is widely used in the hotel and airline business to manage guest bookings, rates and availability, guest profiles, staffing, back office and payment system integration and so on—and even flight and crew management on the airline side. According to independent security researcher Brian Krebs, it spilled the beans in a quarterly filing with the US Securities and Exchange Commission (SEC), in which it said that it was “investigating an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.”
Sabre said it has tapped Mandiant to help investigate, and that it has notified law enforcement. “The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” Sabre told customers in a note obtained by Krebs, adding that the issue was confined to its hotel business: “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”
Yet it provided no details as to the cause of the breach, how long it may have persisted or how many customers have been affected.
“A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time,” Krebs pointed out.
This is, of course, just the latest in a string of hospitality-related cyber-incidents.
"The travel industry in the last two years has been sufficiently targeted by fraudsters from every channel that this breach could unequivocally have massive data security implications,” said Shane Stevens, director, Omni-Channel Trust & Identity Solutions, VASCO Data Security, via email. “The recent expansion of security roles in travel are a good indicator that the industry knows it has glaring security concerns.”
He added that multiple-factor authentication controls, securing end-to-end profile and payment transaction data, and protection of the mobile app are just some areas that need to take priority.
“Outside of being very concerned about using my mobile device to access my room, I would personally tell all consumers to cease and lock away the use of all debit cards and instead use charge cards to transact in order to protect themselves, as at this point, we are just not sure what is safe anymore,” he added.