Billion-dollar travel technology company Sabre Corp. agreed to settle with two dozen attorneys general last month in connection to a 2017 breach of its Hospitality Solutions system; the incident exposed 1.3 million credit cards belonging to travelers who used the system to book travel.
Attorneys General from 27 different states entered into an Assurance of Discontinuance (.PDF) - a good faith settlement - with the company shortly before Christmas.
The settlement finally ties a bow on a data breach that happened almost five years ago. An unknown attacker managed to infiltrate SynXis, Sabre's central reservations booking engine, from August 2016 to March 2017, in order to access payment information from hotel reservations processed by the company.
While in the system, the attacker was able to move from section to section, accessing some pages, like those containing credit card information - like numbers, expiration dates and authorization codes - daily. The attacker was able to move around in SynXis by compromising an administrator-level account; the password was stored in plain text within SynXis.
It wasn't until March, more than six months after the attacker had secured access to the system, that Sabre became aware. Unfortunately, once it realized, Sabre failed to completely disable the fraudulent account – the company only disabled the account's access to the credit card summary page - but the attacker was still able to continue accessing other admin pages.
The public learned of the breach several months later, in May 2017, following a disclosure in the company's quarterly 10-Q filing with the U.S. Securities and Exchange Commission. The Attorneys General launched an investigation into Sabre shortly after the breach came to light contending that the company's cybersecurity measures were inadequate and that it failed to properly notify customers who were impacted by the breach.
Sabre informed Hotel Customers of the breach in June, two months after it began investigating and a month after it notified payment card companies. It left notifying consumers largely to the hotels, a choice that led to some notifications not going out until late 2017 or early 2018.
As part of the settlement, Sabre assures that it will continue to comply with state laws and industry standards like security breach notification acts and the Payment Card Industry Data Security Standard, or PCI DSS.
Also as part of the settlement, the company, as many do following breaches, has to develop and maintain an information security program that meets certain requirements, ensure it has a CISO or Chief Information Security Officer overseeing it, and ensure that the program is reviewed and that employees are following its responsibilities.
That’s just the tip of the iceberg. The company also has to develop and oversee an incident response and data breach notification plan, one that addresses the following concepts: preparation, detection and analysis, containment, notification and coordination with law enforcement, eradication, recovery, consumer and regulator notification and remediation, and post-incident analysis. It also has to require multi-factor authentication for remote access to the booking tool, use behavior analytics tools, like a SIEM, maintain a penetration testing program, and undergo periodic third-party assessments.
In a response to the settlement last month, Letitia James, New York’s AG said that Sabre failed its customers doubly.
“Companies need to do a better job of notifying New Yorkers when their personal information has been breached,” said AG James. “Sabre first failed its customers with a susceptible security system, then failed them when it came to provide proper notifications. [This] agreement not only imposes a hefty fine on Sabre but will ensure that the company has the appropriate security and incident response plan in place so that its failure does not take place again.”
