Travel Booking company pays out money for 2016 breach

I took the Christmas break off from posting, hope everyone has enjoyed their holiday as much as I enjoyed the break. We’re going to start with some interesting news coming out of Cyberscoop I recently read in regards to a booking company having to pay out some money for a 2016 breach.

The company in question is called Sabre Corp who I’ve never heard of.

Sabre Corp. will make a $2.4 million payout and shore up its cybersecurity policies under an agreement with 27 state attorneys general who investigated
a breach of its hotel-booking technology.

The settlement, announced Wednesday, involves a 2016 intrusion into the SynXis Central Reservation, run by the Texas-based corporation’s Sabre Hospitality
Solutions subsidiary. The breach exposed the details of about 1.3 million credit cards.

Letitia James is the New York attorney mentioned in this story.

The article indicates that there were multiple failures which I thought we should talk about. First, they had a susceptible security system, then they didn’t notify their customers in a timely manner. That’s two big failures which one should’ve never happened.

I completely get that there are going to be mistakes, notifying your customers of that mistake should not be one of your mistakes. This is beyond repair, the money should go to the customers and not to the states though. The customers are at a loss here by the first mistake which could be anything from a software breach which is understandable, seeing how company assets are upgraded differently than consumers as we’ve learned.

“Today’s agreement not only imposes a hefty fine on Sabre but will ensure that the company has the appropriate security and incident response plan in place
so that its failure does not take place again.”

The failures may happen again, See the blog for articles like this one on InterContinental Confirms Breach at 12 Hotels amog many others.

Its been confirmed, Mariot suffered another breach was many breaches at the Mariot chain, but they were up front with what was going on, and you can read those articles to form your own opinion.

The settlement requires Sabre to “implement and maintain a comprehensive information security program, and a written incident response and data breach
notification plan,” according to the attorneys general. “Sabre must also obtain an independent third-party security assessment and implement any recommendations
to improve network security.”

Should cybersecurity be everyone’s business by now? Why does it take a settlement with states or individuals to make companies wake up to the security problems of today.

According to the article, the hotel chains effected by the breach included Trump Hotels, The Four Seasons and Loews Hotels.

Trump Hotels have been talked about in other articles on the blog, search it out. I know the blog starts April 2011, but that can’t be helped now, but you can even search the Internet for articles about that hotel chain.

Sabre’s revenues were reported to be nearly 4 billion dollars so they should be able to shore up their defenses. Since I onbly read the article on the 27th, the quote

The company had not issued a comment about the settlement as of Thursday morning.

should not be much of a surprise to anyone in this industry.

Would you like to read more about this facinating piece of good news? Travel-booking company Sabre Corp. settles with 27 states over breach of credit card data is the Cyberscoop article we’ve taken from.

Lets show companies that this is not exceptable behavior and we want our information regarded as secure as possible. The public understands that there are going to be mistakes, some may not be your fault. Your immediate reaction such as notifying us of the breach or intrusion, finding out what happened, figuring out how to prevent the problem from occuring again, and we can’t forget training your customer service reps to respond to questions from customers who may call you about the breach.

When I got notified by mail from OPM about their breach, the customer service rep knew what was going on, was able to identify what was going on, and answered my questions. While I didn’t ever do business with them, they told me the information I needed to know, based on me identifying myself as who I said I was, Jared Rimer. I won’t disclose the rest of what was disclosed, but suffice it to say, I wasn’t necessarily impressed I was involved with a company I had no direct contact with, but understood what they did. That is the most important thing we can take out of these breaches, the up front nature of what is disseminated to us. Let us hope that 2021 will teach companies that this is the most important thing they can learn from this breach pandemic year that is 2020. Make it a great day.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.