Sabre's investigation into a credit card data breach in its
SynXis hotel reservations system found that it was contained to "a limited
subset of hotel reservations," but an unauthorized party did have access
to credit card numbers, expiration dates and cardholder names.
Sabre first announced the data breach in May. Since then,
the company said it has been working with its customers and partners that use
or interact with the system. Some TMCs and travel agencies who may have booked
affected travelers have also been notified about the incident, but Sabre said
they do "not use or interact with the Sabre SynXis system."
According to Sabre, there was "no indication" that
other systems outside of SynXis Central Reservations were affected. They did,
however, find that the unauthorized party accessed the information over the
course of seven months, from August 2016 to March 2017.
About 36,000 hotels use the SynXis reservations system.
According to the consumer website Sabre has set up about the
incident, the unauthorized party was able to access cardholder names, payment
card numbers, card expiration dates, card security codes for some, and, in some
cases, guest name, email, phone number and address.
"Not all reservations that were viewed included the
payment card security code, as a large percentage of bookings were made without
a security code being provided," Sabre's statement said. "Others were
processed using virtual card numbers in lieu of consumer credit cards. Personal
information such as social security, passport or driver's license number was
Since the breach was discovered, Sabre said it has taken
steps to end the unauthorized access and ensure it is no longer possible. Law
enforcement and the credit card companies were also notified. While no evidence
was found that the unauthorized party removed information from the system,
Sabre did say it is a possibility.
"Not all of our SHS customers had reservations that
were accessed, and even for those that did have reservations that were viewed,
it varied with regard to the percentage of reservations that were accessed,"
the statement said.
Sabre said it regrets the incident, and "our industry,
like many, faces ever increasing cybersecurity threats that require strong
partnerships across the travel ecosystem. Sabre will continue to take strong
measures to protect the interests of our customers and the traveling public."