Sabre Corporation, the travel technology company, agreed to pay $2.4 million as a settlement with twenty-seven (27) State Attorneys General for a 2017 data breach involving hotel booking services.  In 2017, Sabre suffered a major data breach involving 1.3 million credit cards.

Sabre was cited for failing to adhere to state laws governing breach notification and data security in response to a cyberattack against Sabre’s SynXis Central Reservation System.  The online booking system is used by a number of large businesses for hotel and travel reservation purposes.

SynXis allows hotel customers to configure what data they receive in accordance with their own preferences.  Hotel customers retrieve booking information from SynXis.

From August 10, 2016 to March 9, 2017, a cyber-attack illegally accessed SynXis and business and personal credit card information, including credit card number, expiration data and authorization code. 

The attacker was able to exploit an administrator-level account from which the attacker could view and collect credit card information.  Sabre detected the unauthorized account in August 2016 but took no steps to investigate the intrusion and any possible compromises of personal credit card data.

On March 9, 2017, while investigating a report about an unrelated incident, Sabre noticed unusual activity associated with the SynXis accounts.  Sabre partially disabled the account but again did not investigate the suspicious activity.  Beginning on March 29, 2017, Sabre received reports from online travel agencies of suspicious activity.  Again, Sabre did not begin to investigate the suspicious activity.

The State AGs specifically cited Sabre’s failure to respond to serious red flags and notify consumers who had suffered breach of their personal data.  Even after confirming the cyber-attack, Sabre failed to notify any consumers, claiming that its business customers were obligated to notify consumers.  Some consumers did not receive data breach notifications until 2018.

According to the State AG charges, Sabre did not have appropriate information security measures or plans in place to respond to a data breach.

Aside from the $2.4 million penalty, Sabre is required to implement numerous changes to its security and notification protocols, including ensuring that its contracts with businesses clarify the roles and responsibilities of each party in the event of a data breach.

In addition, the settlement agreement requires Sabre to determine whether its customers have been notified, implement a comprehensive information security program, a written incident response, a data breach notification plan, and undergo a third-party security assessment.

Sabre initially informed its business customers in June 2017, after it initially disclosed the breach in its regular SEC filing.  The breach actually occurred between August 2016 and March 2017, and centered on more than a million payment cards.