Travel services company Sabre Corp., acknowledged this week that it’s in the middle of investigating a data breach in its Hospitality Solutions reservation system that may have spilled personally identifiable information and payment card data belonging to its customers.
The Texas-based company disclosed the breach Tuesday in a quarterly 10-Q filing with the Securities and Exchange Commission.
According to the filing, attackers may have secured access to payment information contained in a subset of hotel reservations processed through SynXis, the company’s central reservation system.
The platform, a cloud-based software as a service (SaaS) solution, allows employees to access room pricing, scheduling, and availability at participating hotels.
It’s unclear exactly what the company means by a “subset of hotel reservations.” According to marketing materials on Sabre’s site, SynXis is used at more than 36,000 properties. According to iDataLabs, the platform is used by nearly 500 hospitality companies, including the Kimpton Hotel and Restaurant Group and the Commune Hotel and Resort group—now Two Roads Hospitality, to name a few.
The company said that unauthorized access to the system had been shut off and that there’s no evidence of “continued unauthorized activity at this time.” Sabre did not get into details of the breach, such as when it began, when it was mitigated, how an attacker may have gotten access to the system, but acknowledged that the compromise of “PII, PCI, or other information” could be a risk.
Sabre said in an accompanying press release on Tuesday it has contacted law enforcement and hired cybersecurity firm Mandiant to assist in its investigation.
The fact that SynXis is a cloud-based platform puts the onus on developers behind SaaS services to better secure their products, experts say.
“Clearly, the surface area that is potentially affected is huge,” John Martinez, VP of Solutions at Evident.io said Tuesday night. “A breach of this magnitude underscores the need for SaaS services, especially those hosted on cloud providers, to increase their security posture capabilities at a faster rate. Not all cloud-borne vulnerabilities are covered by traditional security tools.”
The breach at Sabre’s Hospitality Solutions division is the latest in long line of hospitality hacks over the past several years. InterContinental Hotels Group, a conglomerate that counts Holiday Inn and Crowne Plaza among its chains, announced it was looking into a breach, the second its disclosed this year, two weeks ago.
Kimpton Hotel and Restaurant Group, a chain of boutique hotels, was breached last summer and is continuing to fight a class action case in the courts. On Tuesday the company moved to appeal a data breach suit ruling to the Court of Appeals for the Ninth Circuit.