Sabre, the multinational travel industry titan, alerted hotels about an apparent breach of its software-as-a-service SynXis Central Reservations system that could affect 36,000 properties, customers’ payment card data and personal details.
KrebsOnSecurity reported that Southlake, Texas-based Sabre in a quarterly filing with the U.S. Securities and Exchange Commission said it was investigating an incident of unauthorized access to payment information contained in a subset of its hotel reservations system.
Sabre provides technology to the international travel industry, including airlines and hotel properties, and also operates a travel marketplace, which processes more than $120 billion of annual travel expenditures across 160 countries.
“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” read a statement Sabre sent to affected properties. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”
Sabre told customers that it didn’t have any additional details about the breach to share at this time, so the cause, source and extent of the breach remain uncertain. Sabre said it has engaged security forensics firm Mandiant to support its investigation, and it has notified law enforcement.
“Clearly, the surface area that is potentially affected is huge. A breach of this magnitude underscores the need for SaaS services, especially those hosted on cloud providers, to increase their security posture capabilities at a faster rate,” John Martinez, VP of customer solutions at Pleasanton, Calif.-based Evident.io, said. “Not all cloud-borne vulnerabilities are covered by traditional security tools; these threats require security tooling and services that are born in, and optimized for the cloud.
Martinez maintained, “This is an instructive event that highlights the importance of using a shared responsibility model to increase visibility into vulnerabilities, and bring a more comprehensive approach to risk mitigation.”
The news comes amid other recently hospitality industry breach revelations such as the most recent disclosure at Intercontinental Hotel Group, which found malware compromised registers at more than 1,000 properties. Other incidents took place at some of the largest hospitality chains over the past few years including Trump Hotels, Hilton, Mandarin Oriental, White Lodging, Starwood and Hyatt.
The food-service industry has also seen as steady diet of payment card incidents such as the most recent episode involving the restaurant chain Chipotle, which revealed unauthorized activity on its payment processing network. There was no specific detail other than the investigation is ongoing and focused on card transactions from March 24, 2017 through April 18, 2017. Others in a string of restaurant industry breaches, includes Wendy’s, Arby’s and Shoney’s.
All of these incidents point highlight another problem involving disclosure.
“Chipotle finds itself in the unenviable company of organizations – a list that seems to grow weekly, if not daily – that are reporting data breaches. In truth, no company is entirely breach proof and no system is entirely secure. Instead, it’s important to build a resilient security and data protection program and be prepared for the worst,” Dana Simberkoff, chief compliance and risk officer at Jersey City, N.J.-based AvePoint, stated.
Simberkoff added, “Disclosure laws mean that the consequences of failure have increased to organizations that suffer a breach. While we’ve seen a shift in external pressures of citizens and regulators, technology has also progressed – introducing a more complex and rapidly evolving ecosystem to protect far more data than has ever been managed before.”
