[BreachExchange] Sabre Says Stolen Credentials Led to Breach

Destry Winant destry at riskbasedsecurity.com
Thu Jul 6 19:47:47 EDT 2017


http://www.databreachtoday.com/sabre-says-stolen-credentials-led-to-breach-a-10087

Travel industry giant Sabre said Wednesday an intruder using stolen
account credentials for its widely used reservations software had
access to payment card details and personal information over a
seven-month period. But it declined to say how many people are
affected.

Sabre, which is based in Southlake, Texas, disclosed in early May a
suspected breach affecting its SynXis Central Reservations system. The
software-as-a-service system is used by travel agencies, hotels and
booking services for such functions as rate and inventory management
(see Sabre Warns Hotels: Card Data Potentially Compromised).

The exposure period started in August 2016 and ran through March. The
information at risk includes payment cardholder names, card numbers
and expiration dates, Sabre says.

For some reservations, the three-digit security code on the reverse of
the card was exposed, but a "large percentage" of bookings were made
without the code, the company says. Some bookings were made using
virtual payment card numbers, it adds.

Guest names, phone numbers, addresses and other information were at
risk, but not Social Security, driver's license or passport numbers,
according to Sabre.

"Our investigation did not uncover forensic evidence that the
unauthorized party removed any information from the system, but it is
a possibility," Sabre says. In May, the company said FireEye's
Mandiant investigations unit assisted with the investigation.

Unknown Number of Victims

Sabre did not give a figure for how many payment cards or individuals
were affected. Sabre spokesman Tim Enstice tells Information Security
Media Group that "less than 15 percent of the average daily bookings"
using the reservation system were viewed.

Enstice declined to answer how many daily bookings, on average, are
made. But the SHS reservation system is used at 36,000 locations, from
small hotels to large global chains, as well as for property
management.

If each location only made one booking a day, the number of
transactions would exceed 1 million in a month. At the bare minimum,
15 percent exposure would mean 150,000 transactions a month would be
at risk.

Enstice disputed that estimate, saying it was "pure speculation." But
Computerworldreported in August 2015 that Sabre's various software
systems processes 2 billion transactions per day affecting 1 billion
travelers a year.

Sabre says it has contacted travel management companies and travel
agencies that do not use SHS reservations software, as well as those
that do. "We have engaged Epiq Systems to provide complimentary notice
support for those customers that determine they have a notification
obligation," Sabre says.

The company also has created a website to notify consumers. It advised
consumers to monitor account statements and report suspicious activity
to financial institutions.

Second Security Incident

The breach is at least the second cybersecurity incident for Sabre in
as many years.

In an Aug. 4, 2015, filing with the U.S. Securities and Exchange
Commission, Sabre said it was investigating a "cybersecurity incident
involving several servers managed by a third party."

Bloomberg reported a month later that investigators believed hackers
linked with China attacked Sabre as well as American Airlines. The
hacking group was suspected to be the same one that struck health
insurer Anthem and the U.S. government's personnel office.

In February 2016, Sabre said it concluded its investigation, writing
in its annual report that it found "no loss of traveler data,
including no unauthorized access to or acquisition of sensitive
protected information, such as payment card industry data or
personally identifiable information in connection with this incident."

In February 2015, Anthem said the personal information of 78.8 million
individuals was stolen, including names, dates of birth, Social
Security numbers and healthcare identity numbers. Anthem has agreed to
a proposal to settle a related class-action suit for $115 million,
which a federal court will review next month (see Analyzing the Anthem
Breach Class Action Settlement).

In one of the largest breaches to affect the U.S. government, the
details of 4.2 million federal employees and up to 10 million former
employers and contractors were stolen from the U.S. Office of
Personnel Management (see Millions More Affected by OPM Breach).


More information about the BreachExchange mailing list