Travel agents and travelers are beginning to be impacted by the computer hack on Sabre’s lodging management tool, as Google says its employees’ data may be at risk, and a global agency was mistakenly blamed for the electronic break-in.
Sabre is communicating with travel agencies and customers whom they believe could have data at risk, and has launched a microsite with FAQs about the situation.
This week, Sabre issued a statement following up on its announcement earlier in the spring, saying it has “notified and been working with certain customers and partners that use or interact with Sabre Hospitality Solutions’ (SHS) SynXis Central Reservations system (SHS reservation system) about our previously disclosed incident of unauthorized access. Our investigation is complete and we have determined that an unauthorized party accessed certain payment card information for a limited subset of hotel reservations processed through the SHS reservation system.”
The GDS said the data involved is from August 2016 through March 2017.
“Not all of our SHS customers had reservations that were accessed, and even for those that did have reservations that were viewed, it varied with regard to the percentage of reservations that were accessed," Sabre noted. "The data submitted to the SHS reservation system varied, as well as the geographic locations of both our customers and their respective guests, so we have worked to provide those Sabre customers that had reservations that were viewed with all available information to evaluate their affected reservations and customer lists.”
On a microsite of FAQs, Sabre said “payment card information for hotel reservations, including cardholder name; payment card number; card expiration date; and, for a subset of reservations, payment card security code” may have been accessed. A large percentage of the bookings that were hacked were made without a security code being provided, Sabre was able to determine. Others were processed using virtual card numbers in lieu of consumer credit cards.
“The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other information. Information such as Social Security, passport, or driver’s license number, was not accessed.”
Further, Sabre said “there is no indication that any other Sabre systems beyond the SHS reservation system, such as Sabre’s Travel Network and Airline Solutions platforms, were affected by the unauthorized party. We have taken successful measures to ensure this unauthorized access to the SHS reservation system was stopped and is no longer possible. Our investigation did not uncover forensic evidence that the unauthorized party removed any information from the system, but it is a possibility.”
Lodging reservations system’s role confuses the public
The complex data flow of hotel bookings seems to have swept up at least one major travel agency erroneously. What most news reports have failed to make clear is that SynXis is at the farthest end of the reservations process from travelers and their travel agency.
As Sabre says on the SynXis website, its tool is more of an “inventory management” software application that supports rate, inventory and distribution services directly to hotels. It connects hotel property and revenue management tools, customer relationship management software and content management tools with the GDS to facilitate the back-and-forth communications required to book a room.
When travelers call an agent or try to book through an online travel agency, depending on the hotel they choose, their request first goes through the GDS, which may or may not be Sabre. The request might then be routed to SynXis (which can communicate with all GDS), but only if the hotel property has chosen to use the system.
In a March 2015 press announcement, Wyndham Hotels announced it would use SynXis. TMR contacted Wyndham about its relationship with SynXis, but did not receive a reply by press time. (TMR also contacted Hilton Hotels and Marriott International about their potential relationship with SynXis, but received no reply.)
Earlier this year, Global Hotel Alliance, a group of independent hotel brands with 550 hotels in 76 countries, signed a deal to offer its 35 brands the SynXis software. Some of the brands include Kempinski, Lungarno, Marco Polo, Outrigger, Pan Pacific, PARKROYAL and the Ultratravel Collection.
Carlson Wagonlit swept up in news reports, often incorrectly
The Register, a UK Internet site that covers technology, reported on June 30 that “one of the agencies relying on the SynXis reservation system was Carlson Wagonlit Travel (CWT), which Google pays to handle booking rooms for business trips. As it turns out, the details for some of those Google trips were among the hackers' haul.”
While the headline of the story was neutral, the URL linking to the article hinted that CWT might be at fault.
In its article, The Register published a form letter that Google sent out to its employees to alert them to the identity theft risk, and to provide assistance (including credit monitoring services and links to the Sabre microsite.)
According to The Register, the Google letter said that "Sabre notified CWT, which uses the SynXis CRS, that an unauthorised party gained access to personal information associated with certain hotel reservations made through CWT. CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travelers were affected."
Further complicating matters, in a story published July 3, the International Business Times headline misstated “Google employees' private and card data feared leaked after travel agency got hacked.”
IBT updated the story when contacted by CWT, but still left responsibility for the hack unclear.
When contacted by TMR, CWT would not go into details about the Google situation, but in a statement said, “CWT was informed by Sabre that some traveler data had been viewed by an outside party due to a breach of Sabre’s Hospitality Solutions/SynXis Central Reservation system (“SHS”), which provides reservations technology and support to hotels."
“Our hotel transactions need to go to the hotels through some channel. Where a hotel uses SynXis, those transactions are the ones that were impacted,” a company spokesman told TMR.
Carlson Wagonlit is making every effort to clarify its role in the booking ecosystem, and made an effort to point out that “SHS is not a CWT technology platform or a solution used by CWT.”
Sabre offers consumers identity protection advice
Sabre recommends that travelers “remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports for any unauthorized activity. If you discover any suspicious or unusual activity on your accounts, be sure to report it immediately to your financial institutions, as major credit card companies have rules that restrict them from requiring you to pay for fraudulent charges that are timely reported.”
Sabre also recommends consumers "contact the Federal Trade Commission (FTC) or law enforcement, such as your state attorney general, to report incidents of identity theft." If you find that your information has been misused, the FTC recommends filing a complaint with the FTC; closing the accounts you believe have been tampered with or opened fraudulently; and "filing and keeping a copy of a local police report as evidence of the identity theft crime."