Attorney General Ford Joins 27 States in Settlement Resolving Investigation of Sabre Hospitality Solutions

December 23, 2020

Carson City, NV – Today, Attorney General Aaron D. Ford announced that his office has joined attorneys general of 27 states in a settlement with Sabre Corporation that resolves their investigation into the 2017 data breach of Sabre Hospitality Solutions’ hotel booking system. The breach exposed the data of approximately 1.3 million credit cards. The settlement focuses on injunctive relief, and requires a payment of $2.4 million, of which the State of Nevada will receive $47,321.87.

Sabre Hospitality Solution is a business segment of Sabre that operates the SynXis Central Reservation system, which facilitates the booking of hotel reservations. SynXis connects business travel coordinators, travel agencies, and online travel booking companies on one end to Sabre’s hotel customers on the other. On June 6, 2017, Sabre informed its hotel customers of a data breach that had occurred between August 2016 and March 2017, which the business disclosed in a 10-Q SEC filing the month before. Notice to consumers was provided by the hotels, resulting in some notices being issued as late as 2018, and some consumers receiving multiple notices stemming from the same breach.

“When a data breach occurs, Nevada law requires that our consumers be notified in the most expedient time possible, but that did not happen in this case,” explained AG Ford. “When there are multiple companies in the stream of commerce, those companies must have a plan that ensures consumers are timely informed of any incidents that compromise their personal information.”

The settlement requires Sabre to proactively plan for future security incidents.  Sabre has agreed that its future contracts will include language that specifies the roles and responsibilities of Sabre and its industry customers in the event of a breach. It also requires Sabre to take reasonable efforts to determine whether its customers have provided notice to consumers, and to provide the attorneys general a list of all the customers that it has notified. In addition, the settlement requires that Sabre implement and maintain a comprehensive information security program, and a written incident response and data breach notification plan.  Sabre must also obtain an independent third-party security assessment and implement any recommendations to improve network security.

Joining Attorney General Ford in this settlement are the attorneys general of Vermont, Arkansas, Connecticut, Illinois, Alaska, Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.