May 2, 2017

Breaches involving major players in the hospitality industry continue to pile up. Today, travel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.

sabreIn a quarterly filing with the U.S. Securities and Exchange Commission (SEC) today, Southlake, Texas-based Sabre said it was “investigating an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.”

According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system, described as an inventory management Software-as-a-Service (SaaS) application that “enables hoteliers to support a multitude of rate, inventory and distribution strategies to achieve their business goals.”

Sabre said it has engaged security forensics firm Mandiant to support its investigation, and that it has notified law enforcement.

“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a brief statement that Sabre sent to affected properties today. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”

Sabre’s software, data, mobile and distribution solutions are used by hundreds of airlines and thousands of hotel properties to manage critical operations, including passenger and guest reservations, revenue management, flight, network and crew management. Sabre also operates a leading global travel marketplace, which processes more than $110 billion of estimated travel spend annually by connecting travel buyers and suppliers.

Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted.

A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time.

The news comes amid revelations about a blossoming breach at Intercontinental Hotel Group (IHG), the parent company that manages some 5,000 hotels worldwide, including Holiday Inn and Holiday Inn Express.

KrebsOnSecurity first reported in December 2016 that cards used at IHG properties were being sold to fraudsters, but it took until February 2017 for IHG to announce it had found malicious software installed at front-desk systems at just a dozen of its properties. On April 18, IHG disclosed in an update on the investigation that more than 1,200 properties were affected, and that there could well be more added in the coming days.

According to Verizon‘s latest annual Data Breach Investigations Report (DBIR), malware attacks on point-of-sale systems used at front desk and hotel restaurant systems “are absolutely rampant” in the hospitality sector. Accommodation was the top industry for point-of-sale intrusions in this year’s data, with 87% of breaches within that pattern.

“Apparently, it is not only The Eagles that are destined for a long stay at the hotel,” Verizon mused in its report. “The hackers continue to be checked in indefinitely as well. Breach timelines continue to paint a rather dismal picture—with time-to-compromise being only seconds, time-to-exfiltration taking days, and times to discovery and containment staying firmly in the months camp.”

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).


26 thoughts on “Breach at Sabre Corp.’s Hospitality Unit

  1. Mike

    Judging from their current LinkedIn information security employee job titles and the two current infosec job postings on their HR site, my guess is they outsourced their security program. Wonder who to?

    1. JCitizen

      That would be reasonable to assume, but even big corporations put IT security on such a low level, that I would not be the least bit surprised if those jobs listed on the site were the only employees they had working on the subject – I wouldn’t doubt at all that they had NO outsources security at all!

    2. former emp

      They oversee security operations directly.

  2. Matthew P Clements

    Thanks for all you do for bringing these kinds of issues to light!

  3. Enthusiast

    Looks like a typo:

    “more than 32,000 properties use Sabre’s XynXis reservations system”

    Shouldn’t it be Synxis?

    Good article – worried about how impactful this will be on the travel industry and traveler’s data.

    1. somguy

      Why should it be? None of the others (some bigger) recently have been.

      Remember, in USA, there’s very little liability using a credit card for the average traveler. That’s what that whole few percent CC fee to the merchants helps pay for. Glance at the bill once a month and you are good. $50 max liability which most CC companies waive so it’s $0 liability for fraud if reported.
      Sure it’s better to track every transaction as soon as it hits, but many don’t have time for that

  4. IRS iTunes Card

    Good article, didn’t have a chance to read the 2017 Data Breach Investigations Report yet.

  5. kopecky

    Could be another 3rd party vendor vulnerability?

  6. hospiguy

    The boilerplate sounds so generic they could have a single client whose password was guessed, or it could be a full breach. I’m curious to know which end of the spectrum this lies on. Most of these systems are simply a pass-between for credit card data so unless they had a large design flaw in their data core (not encrypting card data at rest, for example) the breach size would typically be smaller than you’d think.

    1. Jason

      My big worry is if they got any domain/system access, Sabre’s API’s are kind of ridiculously integrated for travel industry. A breach in one part of the ‘all these other common travel things you book’ chain could very likely mean a breach to all of them.

  7. vb

    My guess is that this is going to be big breach. As usual in these breaches, they trickle out the details over a long period of time in order to reduce the publicity impact.

    Read the announcement: “unauthorized access to payment information contained in a subset of hotel reservations processed through our .. Reservations system” That’s many thousands of reservations. Every reservation include payment information. Does anyone really think they have separate subset systems for each hotel?

  8. Drone

    This is potentially nothing like the penetrations mentioned before. Those were relatively limited in scope and often closer to the point-of-sale.

    This thing on the other-hand has Far more potential. Sabre is huge in handling travel & hospitality transactions, likely the biggest. Think on the order of 100’s of Thousands of Transactions Per Second!

  9. Alf Richter

    We waited several months for this info as the other breaches (IHG, Hilton, etc) could not explain the number of fraud with different suspect hospitality sources.

    This might be the new “MOAB” in cc payment….

  10. olerex

    Id like to ask the question..what is the reason to report about data breaches ??

    1. Matthew

      Primarily, so the rest of us don’t make the same mistake.

    2. Santa Claus

      it’s the law in 49 states to publicly report breaches…

  11. Tony Pelliccio

    This is one of those things that it’s not difficult to secure against, but it’s difficult to prevent hardware hacks. I still maintain to this day that issuing banks should be REQUIRED to give every customer their card and an RSA Token or if you trust Goolge Authenticator on their phone. That way something you have, something you know and something you can’t predict. Be hard to counterfeit cards then.

    1. Robert MacKinnon

      EMV helps in the fight against counterfeit fraud by making the track-equivalent data difficult to reproduce on a mag stripe. There is a push on by at least one Card Brand for issuers to include the use of dynamic CVV, which is equivalent to the RSA component you desire. This control would help in the fight against card-not-present fraud.

      1. trotsky

        emv..right,but under your skin.
        then you are in safe Goy.

  12. revo

    Problem its not as much techical factor its 100% humen factor.
    Techical solution would not help here !!

  13. AeroStar

    This is the second breach at Sabre in two years. The first one was in their main business and was in the news as well. They reported that no customer data was lost.

    Sabre invested heavily in state of the art technology in the wake of that breach. Goes to show that throwing money at technology does not necessarily bring security. People and processes are perhaps far more important.

    Sabre’s IT infrastructure is hosted by HP. Info Sec team is in house.

    They had a good team of security professional, who left the company a couple of year ago. The new management lacks experience and insight.

    1. Bob

      Any idea why they all left? Did they decide to form their own security firm?

  14. FERENC LEDNICZKY

    As we see it, Positive Access Control is the Essential First Step to Secure Cyberspace!
    Ergo – a natural person – is a loose cog in the wheel that must be tightened before we can think about securing cyberspace.
    The digital world is exacting and based on mathematics. Controlling who can sign in and what they can do is theoretically possible; but this pesky malleable human component in the chain of commands throws off the math. Why? Because we can’t count on a person to be exact all the time. Current software needs to allow for recovery and needs to create “backdoors” which are binary strings by nature, and can be searched, copied, distributed, altered, reused, stolen, and sold; thus, vulnerable for hacking.
    We promote a model of continuous authentication to positively confirm the presence of a live known person and progressively observe them while facing their devices to make sure that the person not just opens the front door but – stands – in the door, blocking anybody else to get in while connected

  15. imexes

    Sir,
    Please give me more information How can start this business?

  16. education sites

    Having read this I believed it was extremely enlightening. I appreciate you spending some time and effort to put this information together. I once again find myself spending way too much time both reading and leaving comments. But so what, it was still worthwhile!

Comments are closed.