Published on : Thursday, July 6, 2017
Since June 6, Sabre has notified and been working with certain customers and partners that use or interact with Sabre Hospitality Solutions’ (SHS) SynXis Central Reservations system (SHS reservation system) about our previously disclosed incident of unauthorized access. Some travel management companies (TMCs) and travel agencies that booked travelers that may have been affected have also been notified about the incident, although those TMCs and other parties do not use or interact with the Sabre SynXis system. Our investigation is complete and we have determined that an unauthorized party accessed certain payment card information for a limited subset of hotel reservations processed through the SHS reservation system.
Not all reservations that were viewed included the payment card security code, as a large percentage of bookings were made without a security code being provided. Others were processed using virtual card numbers in lieu of consumer credit cards. Personal information such as social security, passport or driver’s license number was not accessed. Sabre has notified law enforcement and the credit card brands as part of our investigation.
There is no indication that any other Sabre systems beyond the SHS reservation system, such as Sabre’s Travel Network and Airline Solutions platforms, were affected by the unauthorized party. We have taken successful measures to ensure this unauthorized access to the SHS reservation system was stopped and is no longer possible. Our investigation did not uncover forensic evidence that the unauthorized party removed any information from the system, but it is a possibility.
This incident was limited to a subset of bookings made through the SHS reservation system and accessed over a seven month period from August 2016 to March 2017. Not all of our SHS customers had reservations that were accessed, and even for those that did have reservations that were viewed, it varied with regard to the percentage of reservations that were accessed. We have engaged Epiq Systems to provide complimentary consumer notice support for those customers that determine they have a notification obligation. The data submitted to the SHS reservation system varied, as well as the geographic locations of both our customers and their respective guests, so we have worked to provide those Sabre customers that had reservations that were viewed with all available information to evaluate their affected reservations and customer lists. A general consumer information site is available at sabreconsumernotice.com to support any direct consumer notice our customers might choose to make.
The Sabre team sincerely regrets this incident, and we appreciate the support and collaboration our partners have shown during this investigation. Our industry, like many, faces ever increasing cybersecurity threats that require strong partnerships across the travel ecosystem. Sabre will continue to take strong measures to protect the interests of our customers and the traveling public.