Hard Rock, Loews Hotels Among Sabre Corp Hospitality Breach Victims

Victims of Sabre Corp’s SynXis reservation system breach reportedly include both the Hard Rock Hotel and Casino chain and the Loews Hotel chain.

For the second time in the past year the Hard Rock Hotels and Casinos franchise is encouraging guests to keep tabs on their bank account statements for suspicious activity.

The hotel, resort, and casino chain on Thursday said it was alerted on June 6 that its systems were impacted by a security incident involving Sabre Hospitality Solutions (SHS) SynXis, an inventory management SaaS application.

According to SEC filings, Sabre had been investigating a data breach involving SynXis back in May. The SynXis service is used by nearly 500 hospitality companies, but until this week it wasn’t clear exactly which hotels were impacted.

According to a press release on Thursday, 11 Hard Rock properties, including the Hard Rock Hotel and Casino Las Vegas and the Hard Rock Hotel Cancun, were affected by the Sabre breach. As part of the breach, the chain claims an attacker gained access to SynXis account credentials, something which gave them access to unencrypted payment card information and a number of reservations processed via the reservation system.

It was around this time last summer that the Hard Rock Hotel and Casino in Las Vegas began notifying guests and patrons that restaurants and retail outlets there had been hit by a breach. Customers who made purchases between October 27, 2015 and March 21, 2016 were hit by card scraping malware that may have accessed their name, credit card number, expiration date and 3-digit internal verification code.

Loews Hotels, a luxury hotel chain with 24 locations in the U.S. and Canada, reportedly also began warning customers they were impacted by the Sabre breach this week. A report by journalist for NBC 10 Philadelphia said on Thursday the hotel chain was implicated by the SynXis incident, but didn’t describe which locations were hit.

The news comes a day after Sabre disclosed, for the first time since May, details around the incident.

Following an investigation, Sabre said on Wednesday that limited information parsed through the SHS SynXis reservation system for seven months, between August 10, 2016 to March 9, 2017, was accessed.

Sabre said an unauthorized party using stolen account credentials used the software to secure access to the system.

The company declined to specify exactly how much data was accessed but said that booking information and “certain payment card information for a limited subset of hotel reservations” were accessed. The company gave the same “subset of hotel reservations” figure in a quarterly 10-Q filing with the SEC back in May when it initially disclosed the breach.

When reached Friday, Timothy Enstice, a spokesman for Sabre stressed that only 15 percent of the average daily bookings on the SHS reservation system between August and March were viewed.

According to Sabre’s site the SynXis platform is used at over 36,000 hotel properties.

“Not all reservations that were viewed included the payment card security code, as a large percentage of bookings were made without a security code being provided,” Sabre said via statement, “Others were processed using virtual card numbers in lieu of consumer credit cards. Personal information such as social security, passport or driver’s license number was not accessed. Sabre has notified law enforcement and the credit card brands as part of our investigation.”

Last week a copy of a letter sent to some Google employees notifying them they may have been affected by the Sabre breach surfaced on the State of California’s Office of the Attorney General website.

In the letter, dated June 29, Google said it learned on June 16 that Carlson Wagonlit Travel, was also affected by the SynXis breach. In that incident Google business travelers may have had their hotel reservations, name, contact information, and payment card information compromised as a result.

Suggested articles

Discussion

  • Robert Hartman on

    I was just notified that Sabra Hospitality released personal info to hackers including names, addresses, credit card numbers with expiration dates and the CVV numbers (which are not allowed to be stored post sale). This company says that it's "sorry for the inconvenience" but has not done anything to correct the breach to my knowledge. If you've booked with these people lately, you probably will want to get another credit card.....and you'd better keep an eye on your credit report as well.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.