The Trump, Four Seasons, Loews and Hard Rock hotel chains are warning customers that their personal information may have been exposed as a result of a massive breach of Sabre's SynXis reservations system disclosed earlier this year.
In late June, Google began notifying its employees that their personal information may have been exposed in the same breach, as company travel provider Carlson Wagonlit Travel also leveraged the SynXis system.
Trump Hotels recently posted a statement [PDF] on its website acknowledging that it had been notified by Sabre on June 5, 2017 that it was affected by the SynXis breach.
"This incident occurred on the systems of Sabre Hospitality Solutions, a service provider used by Trump Hotels," the company noted. "It did not affect Trump Hotels' systems."
According to Sabre's investigation, the unauthorized access to Trump Hotels reservation data began on August 10, 2016 and was terminated on March 9, 2017.
The information exposed includes cardholder names, payment card numbers, card expiration dates and some security codes, as well as some guest names, email addresses, phone numbers and mailing addresses.
Fourteen Trump properties were affected: Trump Central Park, Trump Chicago, Trump Doonbeg, Trump Doral, Trump Las Vegas, Trump Panama, Trump Soho, Trump Toronto, Trump Turnberry, Trump Vancouver, Trump Waikiki, Trump DC, Trump Rio De Janeiro, and Albermarle Estate.
In a statement [PDF] posted to its website, Four Seasons Hotels and Resorts stated that Sabre notified it on June 6, 2017 that it had been affected by the breach of the SynXis reservations system.
As with Trump Hotels, Sabre's investigation determined that Four Seasons payment card and other reservation information was accessed beginning on August 10, 2016, and the access was terminated on March 9, 2017.
"It is important to note that reservations made on Fourseasons.com, with Four Seasons Worldwide Reservations Office, or made directly with any of Four Seasons 10 hotels or resorts were not compromised by this incident," the company stated.
On July 6, Hard Rock Hotels & Casinos announced that Sabre had notified it on June 6 that it had been impacted by the SynXis breach, with the dates of access similarly ranging from August 10, 2016 to March 9, 2017.
Eleven Hard Rock properties were affected: the Hard Rock Hotel & Casino Biloxi, Hard Rock Hotel Cancun, Hard Rock Hotel Chicago, Hard Rock Hotel Goa, Hard Rock Hotel & Casino Las Vegas, Hard Rock Hotel Palm Springs, Hard Rock Hotel Panama Megapolis, Hard Rock Hotel & Casino Punta Cana, Hard Rock Hotel Rivera Maya, Hard Rock Hotel San Diego and Hard Rock Hotel Vallarta.
Separately, Loews Hotels said in a statement on its website that the Sabre breach had affected its properties as well.
"Following an investigation, Sabre notified us on June 6, 2017 that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some Loews Hotels' hotel reservations processed through Sabre's CRS," the company said.
In Loews' case, the access ran from August 29, 2016 to March 9, 2017.
The Ongoing Threat
This may just be the beginning -- Lisa Baergen, director of marketing at NuData Security, noted by email that the full scope of the Sabre breach isn't yet known.
"Every organization entrusted with PII -- both the direct-to-consumer providers such as the hospitality chains and the third parties such as Sabre -- should constantly be testing and hardening their defenses, and embracing more proactive and effective levels of security such as consumer behavior analytics solutions to help prevent identity thefts," Baergen said.
While hotels aren't banks, BitSight founder and CTO Stephen Boyer said by email, they have large volumes of credit card data flowing through their systems. "Cybercriminals continue to target organizations that have data (especially credit card data) that can be monetized," he said. "Control gaps and vulnerabilities that expose that card data will be exploited by motivated and skilled criminal groups using principally well understood and preventable methods."
The Risk Environment
RiskVision CEO Joe Fantuzzi said the hospitality industry is still relatively new to assessing its risk environment. "These series of breaches indicate that in addition to hospitals, financial institutions and retail chains, cyber perpetrators are clearly going after hotel chains with increased vigor, which also likely represent the low-hanging fruit for the attackers," he said.
"That means for hospitality organizations, understanding their risk environment -- especially business critical vulnerabilities exposed to third parties -- is now non-negotiable," Fantuzzi added. "Going forward, attackers are only going to double down on their effort to hit this vulnerable industry."
Companies that invest sufficiently in risk management, Fantuzzi said, will avoid discovering a devastating breach months or even years after the initial attack.
A recent Guidance Software survey of 330 North American IT professionals found one in four organizations suffered direct financial losses due to a an attack or breach in the past year. Among those hit by directly targeted breaches, 20 percent bore costs in excess of $1 million.
Thirty-five percent of respondents said assessing risk is the biggest IT security challenge, up from 32 percent in 2016.
"As cybercriminals continue to evolve their methods and capabilities, the challenge facing cyber security professionals will only grow," Guidance Software president and CEO Patrick Dennis said in a statement. "We see this reflected in the data on the frequency of attacks, costs of a breach and more. Enterprises are beginning to realize that compromise is inevitable, so they need to ensure that they have a complete strategy that includes costs for prevention and deep detection and response tools."