Sabre Breach May Have Exposed Payment Data at 36,000 Hotels


The travel technology company Sabre Corp. has acknowledged that its hotel reservation system was recently breached, according to investigative reporter Brian Krebs.

The breach affects a platform that Sabre says is used by more than 36,000 hotels worldwide.

In its most recent quarterly filing with the SEC, the company stated, "We are investigating an incident involving unauthorized access to payment information contained in a subset of hotel reservations processed through the Sabre Hospitality Solutions SynXis Central Reservation system."

In a separate statement, Sabre added, "We have engaged Mandiant, an independent third-party cybersecurity expert, to support our investigation and have also notified law enforcement. The unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected."

Interconnected Applications

Still, Prevalent director of product management Jeff Hill told eSecurity Planet by email that it's possible the entire attack surface hasn't yet been identified. "The compromised Sabre system, according to its website, offers 'seamless connectivity to over 120 property management, 7 revenue management, 7 CRM and 18 content management solutions,' yielding another 152 potential applications this single successful attack could expose to the cyber criminals," he said.

"Application interconnectivity enables myriad benefits that consumers of enterprise software take for granted, but it also gives cybercriminals multiple pathways with which to exploit a single breach," Hill added. "This expansive, tightly-linked 'data supply chain' is a reality of the modern business world, and of the information security community. Managing risk across third party vendors, fourth party vendors, and the entire data supply chain has never been more important to an organization's overall security posture."

And Michael Magrath, director of global regulations and standards at VASCO Data Security, said that although Sabre described the breach as "unauthorized access," it could well be tied to compromised login credentials, like several other recent breaches. "Sabre, like many other organizations, enables access to its system with only a username and static password, both something one knows, a.k.a. single factor authentication," he said.

"Although convenient, password login has proven, time and again, to be unsecure," Magrath added. "Organizations collecting and storing sensitive customer data such as date of birth, credit card information, etc., should replace static passwords with multi-factor authentication solutions to be used across all devices; PCs, tablet, phones, etc."

Protecting Your Reputation

A recent Blancco Technology survey of more than 750 corporate IT professionals in the U.S. and U.K. found that organizations are more concerned about their reputations than about regulatory penalties -- 48 percent of respondents said their biggest concern regarding data protection is protecting their reputations, while just 38 percent are concerned about passing audits and 40 percent are concerned about avoiding penalties.

Four percent of respondents admitted that they either never conduct internal audits or only do so on request.

Sixty-nine percent of respondents allow employees to transfer data onto their personal mobile devices with only minor limitations, and 33 percent allow employees to move data to cloud services like Dropbox without any restrictions at all.

Sixteen percent of organizations have no data removal policy for when data is no longer needed, and 22 percent said they keep data forever.

"Organizations need to learn that as data ages, its usefulness delines," Blancco chief strategy officer Richard Stiennon said in a statement. "In actual fact, all retained data is a liability for discovery, breach, theft or loss."