Saber Corporation, the travel technology company, has agreed to pay $ 2.4 million in settlement with twenty-seven (27) state attorneys general for a 2017 data breach involving hotel reservation services . In 2017, Saber suffered a major data breach involving 1.3 million credit cards.
Saber has been cited for failing to comply with state laws governing breach notification and data security in response to a cyber attack on Saber’s central reservation system SynXis. The online reservation system is used by a number of large companies for hotel and travel reservation purposes.
SynXis allows hotel guests to configure the data they receive according to their own preferences. Hotel guests retrieve reservation information from SynXis.
From August 10, 2016 to March 9, 2017, a cyber attack illegally accessed SynXis and business and personal credit card information, including credit card number, expiration data, and authorization code.
The attacker was able to exploit an administrator level account from which the attacker could view and collect credit card information. Saber detected the unauthorized account in August 2016 but took no action to investigate the intrusion and any possible compromise of personal credit card data.
On March 9, 2017, while investigating an unrelated incident report, Saber noticed unusual activity associated with SynXis accounts. Saber has partially deactivated the account but has yet to investigate the suspicious activity. As of March 29, 2017, Saber received reports from online travel agencies of suspicious activity. Again, Saber did not begin to investigate the suspicious activity.
State AGs specifically cited Saber’s failure to respond to serious red flags and notify consumers who have experienced a personal data breach. Even after confirming the cyberattack, Saber did not notify any consumers, claiming that its business customers were obligated to notify consumers. Some consumers did not receive data breach notifications until 2018.
According to State AG’s accusations, Saber did not have appropriate information security measures or plans in place to respond to a data breach.
In addition to the $ 2.4 million penalty, Saber is required to implement numerous changes to its security and notification protocols, including ensuring that its contracts with companies clarify the roles and responsibilities of each party. in the event of a data breach.
In addition, the settlement agreement requires Saber to determine whether its customers have been notified, implement a comprehensive information security program, a written incident response, a data breach notification plan, and submit to a security assessment. by a third party.
Saber initially notified its business clients in June 2017, after initially disclosing the breach in its regular SEC file. The breach actually occurred between August 2016 and March 2017, and involved more than a million payment cards.