3rd Party Risk Management , Breach Notification , Cybercrime
$2.4 Million Settlement in 2017 Sabre Data Breach
Settlement Also Requires Company to Enhance Cybersecurity MeasuresThe attorneys general of 27 states have entered into a $2.4 million settlement with Sabre Corp. to resolve a lawsuit tied to 2017 data breach that struck the company's Sabre Hospitality Solutions hotel booking system, compromising 1.3 million payment cards.
See Also: ESG Research Report: Securing the API Attack Surface
The $2.4 million will be split among the 27 states involved in the suit. Additionally, the company is required to implement and maintain a comprehensive security program, a written incident response and data breach notification plan, specific security requirements, third-party security assessments and other measures, including sending a list of notified customers to the 27 attorneys general involved in the lawsuit.
"Companies need to do a better job of notifying New Yorkers when their personal information has been breached," notes New York Attorney General Letitia James. "Sabre first failed its customers with a susceptible security system, then failed them when it came to provide proper notifications."
The states included in the agreement with Sabre include Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Vermont, Virginia and Washington.
"By not having appropriate information security measures or plans in place for responding to a data breach, Sabre left information belonging to millions of consumers vulnerable," says Illinois Attorney General Kwame Raoul, adding the settlement holds Sabre accountable and takes steps to safeguard against a future breach and better protects consumers.
Sabre did not release a statement about the settlement, and the company could not be immediately reached for comment.
Sabre's Data Breach
Sabre revealed the data breach in its May 2017 10-Q quarterly financial filing to the U.S. Securities and Exchange Commission. At the time, it reported investigating an incident involving unauthorized access to payment information contained in a subset of hotel reservations processed through the Sabre Hospitality Solutions SynXis Central Reservation system.
The company was able to disconnect the unauthorized access, but acknowledged the investigation by a third-party cybersecurity firm could reveal that personally identifiable information and PCI data might be compromised (see: Sabre Warns Hotels: Card Data Potentially Compromised).
In July 2017, Sabre revealed the data breach occurred when an intruder used stolen credentials to access the system and maintained persistence between August 2016 and March 2017, while harvesting access to payment card details and personal information (see: Sabre Says Stolen Credentials Led to Breach).
When Sabre first detailed the breach in 2017, several well-known hotel and hospitality chains were affected by the security incident, including Trump Hotels, Loews Hotels and Hard Rock Hotel & Casino properties (see: Trump Hotels Suffers Another Payment Card Breach).
Other Recent Settlements
Ticketmaster on Wednesday agreed to pay a $10 million criminal fine to resolve charges that the company illegally accessed an unnamed competitor's computer system on at least 20 separate occasions, using stolen passwords to conduct a cyberespionage operation (see: Ticketmaster Fined $10 Million for Hacking Competitor).
Twitter also faced a penalty earlier this month when it was fined $547,000 under the EU's General Data Protection Regulation by Ireland's Data Protection Commission for failing to report and document a data breach within 72 hours, as required under GDPR (see: Twitter Fined $547,000 Under GDPR for 2018 Data Breach).
The Home Depot in late November reached a $17.5 million settlement of a multistate lawsuit stemming from a 2014 data breach that compromised the payment card data of 40 million customers after hackers placed credit card-skimming malware on the home improvement chain's network (see: Home Depot Settles 2014 Breach Lawsuit for $17.5 Million).