Sabre said Tuesday a month-long investigation into claims a ransom group had stolen highly sensitive data from the travel tech and software giant’s systems has revealed no current or ongoing security concerns.
“To our knowledge and based on our investigation to date, no customer/traveler PCI [payment card industry] data has been compromised,” the company said in an emailed response to questions from PhocusWire.
The company also said it found “no unauthorized access to any operational platforms such as the GDS, PSS or hospitality system or any of the related applications that are used by our customers in support of their businesses.”
Sabre’s ongoing investigation is now focused on “a very limited environment that housed a subset of Sabre’s internal business support systems and other data,” the statement concluded.
Get a dose of digital travel in your inbox each day
Subscribe to our newsletter below
The first signs of the cyberattack on Sabre, reported in September by TechCrunch, came after a ransomware group known as Dunghill Leak alleged on its dark web leak site that it took about 1.3 terabytes of data from the company, including information on ticket sales, employees’ personal data and corporate financial information.
The group posted some of the files it claimed to have stolen, threatening that more would be made available. While it wasn’t clear when the alleged breach occurred, TechCrunch reported that screenshots posted by the extortion group showed data from as recently as July 2022 and that some displayed employee email addresses and work locations while another showed employee names, nationalities, passport and visa numbers.
A threat to Sabre would have far-reaching ramifications in the travel industry. Its travel reservation system is used by travel agents and companies to search, price and book airlines, hotels, car rentals and tours, among other things.
Sabre experienced a security incident in 2017 when the company said an unauthorized party accessed information from more than a million credit cards. The company paid $2.4 million in a settlement with two dozen states.
Cybersecurity experts say travel companies are inviting targets, both because they can require extensive personal data from customers and because many rely on third-party vendors, which creates additional vulnerabilities.
A recent report from security firm Trustwave SpiderLabs cited research from Cornell University and Freedom Pay showing that 31% of hospitality providers reported they had data breaches, costing companies an average of $3.4 million, not to mention damage to their reputation.
“Travel and hospitality companies act as connectors for consumers — their services often provide discounts and information on flights, hotel rooms, car rentals and so much more,” said Alex Rice, chief technology officer at HackerOne, a San Francisco-based cybersecurity company. “On the back end, greater integration across partners and vendors equates to more software supply chain complexity — and potentially more entry points for bad actors.”
As long as we have centrally stored data, whether in data center or in the Cloud, data breaches will continue to be a problem.
Norm Rose — Phocuswright
Phocuswright senior technology and corporate market analyst Norm Rose said the trend of cybersecurity breaches in travel seems to be accelerating. A report last year from Phocuswright found that digital fraud attempts against travel and leisure companies rose 156% from the previous year.
“As long as we have centrally stored data, whether in data center or in the cloud, data breaches will continue to be a problem,” Rose said.
To protect themselves from cyberattacks, travel and hospitality companies should place equal emphasis on identifying their exposure through third-party vendors as well as risks within their own systems, said HackerOne’s Rice. In practice, that means a few sensible precautions:
Develop a vulnerability disclosure program so that researchers can identify best practices and share vulnerabilities before they are exploited.Provide regular training to employees so they can be vigilant to phishing attempts, which will only grow in sophistication with assistance from generative artificial intelligence.Keep close track of third-party software and require strict cybersecurity standards for vendors. That means managing software bill of materials and an inventory of software licenses to know what vendors, programs and networks face the greatest risks.
In the event of a genuine data breach, companies should help affected consumers reduce the impact of their exposure as much as possible, Rice said. Steps include notifying affected consumers as soon as possible and helping them take steps to reduce risk to bank accounts or other sensitive information.
Rice also recommended companies follow guidelines from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which in line with other international agencies advises against paying ransom, noting that is no guarantee data will be decrypted or that systems and data will no longer be compromised.
“I would love to see a world where organizations never pay a ransom, eliminating the market entirely, but decisions are not always this easy for everyone,” Rice said. “It is imperative that organizations not only weigh the short-term business and economic impact of paying versus not paying but also how that decision incentivizes repeat attacks in the future and reinforces the profitability of this criminal activity at large.”
— PhocusWire senior reporter Morgan Hines contributed to this report.