Sabre Says Stolen Credentials Led to BreachTravel Giant Declined to Release Number of Victims
Travel industry giant Sabre said Wednesday an intruder using stolen account credentials for its widely used reservations software had access to payment card details and personal information over a seven-month period. But it declined to say how many people are affected.
See Also: The Global State of Online Digital Trust
Sabre, which is based in Southlake, Texas, disclosed in early May a suspected breach affecting its SynXis Central Reservations system. The software-as-a-service system is used by travel agencies, hotels and booking services for such functions as rate and inventory management (see Sabre Warns Hotels: Card Data Potentially Compromised).
The exposure period started in August 2016 and ran through March. The information at risk includes payment cardholder names, card numbers and expiration dates, Sabre says.
For some reservations, the three-digit security code on the reverse of the card was exposed, but a "large percentage" of bookings were made without the code, the company says. Some bookings were made using virtual payment card numbers, it adds.
Guest names, phone numbers, addresses and other information were at risk, but not Social Security, driver's license or passport numbers, according to Sabre.
"Our investigation did not uncover forensic evidence that the unauthorized party removed any information from the system, but it is a possibility," Sabre says. In May, the company said FireEye's Mandiant investigations unit assisted with the investigation.
Unknown Number of Victims
Sabre did not give a figure for how many payment cards or individuals were affected. Sabre spokesman Tim Enstice tells Information Security Media Group that "less than 15 percent of the average daily bookings" using the reservation system were viewed.
Enstice declined to answer how many daily bookings, on average, are made. But the SHS reservation system is used at 36,000 locations, from small hotels to large global chains, as well as for property management.
If each location only made one booking a day, the number of transactions would exceed 1 million in a month. At the bare minimum, 15 percent exposure would mean 150,000 transactions a month would be at risk.
Enstice disputed that estimate, saying it was "pure speculation." But Computerworld reported in August 2015 that Sabre's various software systems processes 2 billion transactions per day affecting 1 billion travelers a year.
Sabre says it has contacted travel management companies and travel agencies that do not use SHS reservations software, as well as those that do. "We have engaged Epiq Systems to provide complimentary notice support for those customers that determine they have a notification obligation," Sabre says.
The company also has created a website to notify consumers. It advised consumers to monitor account statements and report suspicious activity to financial institutions.
Second Security Incident
The breach is at least the second cybersecurity incident for Sabre in as many years.
In an Aug. 4, 2015, filing with the U.S. Securities and Exchange Commission, Sabre said it was investigating a "cybersecurity incident involving several servers managed by a third party."
Bloomberg reported a month later that investigators believed hackers linked with China attacked Sabre as well as American Airlines. The hacking group was suspected to be the same one that struck health insurer Anthem and the U.S. government's personnel office.
In February 2016, Sabre said it concluded its investigation, writing in its annual report that it found "no loss of traveler data, including no unauthorized access to or acquisition of sensitive protected information, such as payment card industry data or personally identifiable information in connection with this incident."
In February 2015, Anthem said the personal information of 78.8 million individuals was stolen, including names, dates of birth, Social Security numbers and healthcare identity numbers. Anthem has agreed to a proposal to settle a related class-action suit for $115 million, which a federal court will review next month (see Analyzing the Anthem Breach Class Action Settlement).
In one of the largest breaches to affect the U.S. government, the details of 4.2 million federal employees and up to 10 million former employers and contractors were stolen from the U.S. Office of Personnel Management (see Millions More Affected by OPM Breach).