Sabre Corp. will make a $2.4 million payout and shore up its cybersecurity policies under an agreement with 27 state attorneys general who investigated a breach of its hotel-booking technology.
The settlement, announced Wednesday, involves a 2016 intrusion into the SynXis Central Reservation, run by the Texas-based corporation’s Sabre Hospitality Solutions subsidiary. The breach exposed the details of about 1.3 million credit cards.
The attorneys general held that Sabre responded poorly to the incident, particularly in notifying people that their information might be compromised.
“Sabre first failed its customers with a susceptible security system, then failed them when it came to provide proper notifications,” said New York Attorney General Letitia James. “Today’s agreement not only imposes a hefty fine on Sabre but will ensure that the company has the appropriate security and incident response plan in place so that its failure does not take place again.”
In announcing the breach in May 2017, Sabre said it hired incident-response company Mandiant, a division of FireEye. At the time, the company did not specify who was behind the breach, and Wednesday’s settlement does not mention any details about the attackers or their methods.
The settlement requires Sabre to “implement and maintain a comprehensive information security program, and a written incident response and data breach notification plan,” according to the attorneys general. “Sabre must also obtain an independent third-party security assessment and implement any recommendations to improve network security.”
Beyond the dangers of leaking people’s financial information, data breaches in the hospitality industry can be particularly sensitive, given that hotels, airlines and other parts of the sector hold details about people’s movements around the world.
“By not having appropriate information security measures or plans in place for responding to a data breach, Sabre left information belonging to millions of consumers vulnerable,” said illinois Attorney General Kwame Raoul. “Today’s settlement holds Sabre accountable and, more importantly, takes steps to safeguard against a future breach and better protects consumers.”
Sabre’s revenues in 2019 were nearly $4 billion. The company had not issued a comment about the settlement as of Thursday morning.