December 23, 2020
Carson City, NV – Today, Attorney General Aaron D. Ford announced that his office has
joined attorneys general of 27 states in a settlement with Sabre Corporation
that resolves their investigation into the 2017 data breach of Sabre
Hospitality Solutions’ hotel booking system. The breach exposed the data of
approximately 1.3 million credit cards. The settlement focuses on injunctive
relief, and requires a payment of $2.4 million, of which the State of Nevada will
receive $47,321.87.
Sabre
Hospitality Solution is a business segment of Sabre that operates the SynXis
Central Reservation system, which facilitates the booking of hotel
reservations. SynXis connects business travel coordinators, travel agencies,
and online travel booking companies on one end to Sabre’s hotel customers on
the other. On June 6, 2017, Sabre informed its hotel customers of a data breach
that had occurred between August 2016 and March 2017, which the business
disclosed in a 10-Q SEC filing the month before. Notice to consumers was
provided by the hotels, resulting in some notices being issued as late as 2018,
and some consumers receiving multiple notices stemming from the same breach.
“When a data
breach occurs, Nevada law requires that our consumers be notified in the most
expedient time possible, but that did not happen in this case,” explained AG Ford. “When there are
multiple companies in the stream of commerce, those companies must have a plan
that ensures consumers are timely informed of any incidents that compromise
their personal information.”
The settlement
requires Sabre to proactively plan for future security incidents. Sabre has agreed that its future contracts will
include language that specifies the roles and responsibilities of Sabre and its
industry customers in the event of a breach. It also requires Sabre to take
reasonable efforts to determine whether its customers have provided notice to
consumers, and to provide the attorneys general a list of all the customers
that it has notified. In addition, the settlement requires that Sabre implement
and maintain a comprehensive information security program, and a written
incident response and data breach notification plan. Sabre must also obtain an independent third-party
security assessment and implement any recommendations to improve network
security.
Joining Attorney General Ford in this settlement
are the attorneys general of Vermont, Arkansas, Connecticut, Illinois, Alaska,
Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota,
Missouri, Montana, Nebraska, New Jersey, New York, North Carolina, North
Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.
###