Back in May, Sabre Hospitality Solutions (SHS) announced that they had experienced “an incident of unauthorized access to payment information” in its SynXis Central Reservation system (SHS reservation system). They have now completed their investigation and have determined that an unauthorized party gained access to certain payment card information for a limited subset of hotel reservations processed through the SHS reservation system during the period August 10, 2016 through March 9, 2017.

Sabre has contained the issue and revoked the unauthorized access but some guest information may have been compromised as a result of the incident. Sabre's investigation did not uncover evidence that the unauthorized party removed any information from the system, but it is a possibility.

Since then, Sabre has been working with certain customers and partners that use or interact with the SHS reservation system, as well as some travel management companies (TMCs) and travel agencies that do not use or interact with the Sabre SynXis system, but had booked travellers that may have been affected.

“We have engaged Mandiant, an independent third-party cybersecurity expert, to support our investigation and have also notified law enforcement.” said the original statement from Sabre. “The unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”

Thousands of hotels, from small, independent properties to large global chains, that use Sabre's SHS reservation system, have been impacted by this incident. Therefore, it is possible that affected individuals may receive multiple notifications about this incident from multiple hotel properties or hotel brands, credit card companies, or other travel partners.

We have engaged Epiq Systems to provide complimentary consumer notice support for those customers that determine they have a notification obligation." Sabre's update stated.  "The data submitted to the SHS reservation system varied, as well as the geographic locations of both our customers and their respective guests, so we have worked to provide those Sabre customers that had reservations that were viewed with all available information to evaluate their affected reservations and customer lists."

According to a notice from SHS customer Four Seasons Hotels regarding breach, “The unauthorized party was able to access payment card information for certain hotel reservation(s), including cardholder name; payment card number; card expiration date; and, potentially, card security code. The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other information. Information such as Social Security, passport, or driver's license number was not accessed.”

Customers affected by this breach should remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity. If there is any suspicious or unusual activity on accounts, affected individuals should report it immediately to their financial institutions, as major credit card companies have rules that restrict them from requiring payment for fraudulent charges that are reported in a timely manner.

Four Seasons stated that they are  working closely with Sabre to ensure Four Seasons guests are notified in a timely manner and provided with appropriate information. Four Seasons guests with available email or mailing addresses have been sent notification of this incident commencing on July 6, 2017. Other SHS hoteliers are likely to do the same.

For more information, a general consumer information site is available.

Follow @TravelPulseCA