Sabre Corporation, a major technology solution provider serving airline and hotel companies, has disclosed a breach of its Hospitality Solutions SynXis Central Reservations system that may have exposed consumers' payment card data and personally identifiable information.
In a quarterly report filed on Tuesday, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected.
"The unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected," the company reported in its quarterly filing and a related press statement. In response to the incident, Sabre contacted law enforcement, began notifying affected customers and hired the cybersecurity investigatory firm Mandiant, a FireEye company, to investigate.
The tech company also noted that it is the holder of an insurance policy that covers certain aspects of cyber risk, but it cannot at this time estimate future liability costs related to the breach.
According to Sabre's website, the SynXis Central Reservations solution optimizes distribution, operations, retailing and guest experience, while connecting property management and central reservation systems. More than 36,000 hotel properties rely on the technology, Sabre claims, including independent operators and large global hospitality chains.
This latest incident represents yet another attack against the hospitality industry, which has been besieged with data breaches and point-of-sale malware infections. Recent victims include Hyatt Hotels Corp, InterContinental Hotels Group, Kimpton Hotels and Restaurants, Omni Hotels & Resorts and Rosen Hotels & Resorts.
"While we don't know the specifics of who had unauthorized access to the information and what tactics were used, we've seen from similar attacks that hackers gain access with co-opted credentials of someone with too much access. The attack on Hyatt earlier this year is a perfect example of hackers gaining access to payment systems by exploiting excessive employee permissions." Ken Spinner, VP of field engineering at enterprise infosec management company Varonis Systems, in a statement.
Michael Magrath, director, global regulations and standards at VASCO Data Security, agreed that this could be a case of compromised log-in credentials. "Sabre, like many other organizations, enables access to its system with only a username and static password, both something one knows – a.k.a. single factor authentication," said Magrath in emailed comments. "Although convenient, password lo-gin has proven, time and again, to be unsecure. Organizations collecting and storing sensitive customer data such as date of birth, credit card information, etc. should replace static passwords with multi-factor authentication solutions to be used across all devices..."
Jeff Hill, director of product management at third-party risk management solutions provider Prevalent, expressed concern that the integrated nature of the reservations system could potentially increase Sabre's attack surface. "The compromised Sabre system, according to its website, offers 'seamless connectivity to over 120 property management, seven revenue management, seven CRM and 18 content management solutions,' yielding another 152 potential applications this single successful attack could expose to the cybercriminals," Hill speculated in a statement. "Application interconnectivity enables myriad benefits that consumers of enterprise software take for granted, but it also gives cyber criminals multiple pathways with which to exploit a single breach."