An unknown number of hotels have had customers’ bank card and payment details stolen following a cybersecurity breach at Sabre.
Cyber criminals accessed details of customers at multiple hotels using Sabre Hospitality Solutions’ SynXis reservations system over the course of seven months to March. Sabre became aware of the breach only at the start of May.
Hospitality groups whose customers’ card data has been compromised include Four Seasons Hotels, Rosewood Hotel Group and Trump Hotels.
Four Seasons said information “including cardholder name, card number, expiration date and potentially card security code” had been accessed. Bookings direct with the group were not affected.
Sabre revealed last month that customers of travel management companies and travel agencies could also be affected. But the full extent of the breach is unclear.
The company operates a global distribution system (GDS) for travel agents and tour operators, as well as reservations systems for airlines and hotels.
It first gave notice of the breach on May 2, saying it was “investigating unauthorised access to payment information…over a seven-month period from August 2016”. The company said it had “notified law enforcement” and engaged a cybersecurity firm.
Sabre subsequently announced: “This incident was limited to a subset of bookings. Not all our SHS [SynXis] customers had reservations accessed and… the percentage of reservations accessed varied…Not all reservations included the payment card security code.”
It added: “There is no indication Sabre’s Travel Network and Airline Solutions platforms were affected.” However, the company said: “Some travel management companies and travel agencies who booked travellers may have been affected.”
Sabre insisted it had “taken measures to ensure unauthorised access is no longer possible”.
A recent report by US telecoms giant Verizon described malware attacks as “absolutely rampant” in the hotel sector. Sabre has set up an information site: sabreconsumernotice.com