NEW JERSEY – New Jersey has entered into a settlement with Sabre Corp. that resolves an investigation into a 2017 data breach involving Sabre Hospitality Solutions, the business unit that operates the company’s hotel booking system. The breach affected 1.3 million credit cards, and compromised data such as CVV numbers (the card security code numbers) and expiration dates, according to Attorney General Gurbir S. Grewal.
Under the multi-state settlement, Sabre will pay the 27 participating states a total of $2.4 million, with New Jersey receiving approximately $70,260. In addition to the monetary payments, the settlement includes injunctive terms requiring that Sabre put in place new measures designed to strengthen its data security safeguards and ensure that clear protocols exist for notifying consumers as expeditiously as possible when a data breach occurs.
“Settlements like this one require companies to do a better job of protecting consumers going forward,” Grewal said. “In a world where online transactions have proliferated and payment through credit cards and phone apps is often preferred, businesses have a duty not only to adopt cybersecurity measures that protect consumers’ sensitive information, but to ensure consumers are notified sooner than later when a breach compromises their personal information.”
Sabre Hospitality Solutions operates the SynXis Central Reservation system, which facilitates hotel reservation bookings. SynXis connects business travel coordinators, travel agencies and online travel booking companies on one end to Sabre’s hotel clients on the other.
On June 6, 2017, Sabre informed its hotel clients of a data breach that had occurred between August 2016 and March 2017. The business had previously disclosed the breach in a Securities and Exchange Commission filing the month before.
However, Sabre did not notify actual hospitality consumers, leaving that task to the client hotels. The client hotels subsequently provided notice to consumers, but some consumers did not receive notice until as late as 2018, while others repeatedly received notice stemming from the same breach.
Among other things, today’s settlement requires Sabre to take steps to determine whether its client hotels have provided notice to consumers, and to provide the participating Attorneys General with a list of all the client hotels it has notified.
Going forward, Sabre also must develop and implement a written incident response and data breach notification plan. The settlement also requires Sabre to include language in future contracts that specifies the roles and responsibilities of both parties — Sabre and its client hotels — in the event of a data breach.
In addition, the settlement requires that Sabre implement and maintain a comprehensive information security program, implement specific security requirements and undergo a third-party security assessment.
“When booking travel accommodations, hospitality consumers are typically asked – and often required — to provide credit card and other sensitive personal information,” said Division of Consumer Affairs Acting Director Paul R. Rodríguez. “Given this reality, consumers have a right to expect their information will be protected, and that they will be notified ASAP if a breach occurs that impacts them. This settlement includes terms designed to ensure that Sabre not only improves its data protection systems going forward, but also develops clear lines of responsibility for notifying consumers of any breach.”
Deputy Attorney General Kashif T. Chand, Chief of the Data Privacy & Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group, and Deputy Attorney General Gina Pittore of the Data Privacy & Cybersecurity Section, handled the Sabre Hospitality matter on behalf of the State.
In addition to Attorney General Grewal, Attorneys General representing the following states have signed-on to today’s settlement with Sabre: Vermont, Arkansas, Connecticut, Illinois, Alaska, Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.