Ashley Moody Concludes Data Breach Investigation of Sabre Hospitality Solutions

Last week, Florida Attorney General Ashley Moody, along with attorneys general from 26 other states, concluded an investigation into the 2017 data breach of Sabre Hospitality Solutions’ hotel booking system. The breach exposed the data of approximately 1.3 million credit cards. The attorneys general reached a $2.4 million agreement with Sabre Corporation, of which the state of Florida will receive $118,644 and injunctive relief.

Sabre Hospitality Solutions, a business segment of Sabre Corporation, operates the SynXis Central Reservation system that facilitates the booking of hotel reservations. SynXis connects business travel coordinators, travel agencies and online travel booking companies to Sabre Corporation’s hotel customers. On June 6, 2017, Sabre Corporation informed its hotel customers of a data breach that occurred between August 2016 and March 2017, which the business disclosed in a 10-Q Securities and Exchange Commission filing the month before. Hotels provided notice to consumers, resulting in some notices being issued as late as 2018 and some consumers receiving multiple notices stemming from the same breach.

“Holding companies accountable for the protection of Floridians’ personal information continues to be an important focus for my office. This agreement should serve as another important reminder to businesses that personal information must be treated with high levels of care required by law in Florida,” Moody said.

The agreement requires Sabre Corporation to:

• Include language in future contracts that specifies the roles and responsibilities of both parties in the event of a breach;
• Determine whether its customers provide timely and adequate notice of a breach to their consumers, and provide attorneys general a list of all the customers that it has notified;
• Implement and maintain a comprehensive information security program;
• Establish a written incident response and data breach notification plan; and
• Implement specific security requirements and undergo a third-party security assessment.

In addition to Florida, represented by Consumer Protection Division senior assistant attorney general Gregory Sadowski, the multistate group includes: Alaska, Arizona, Arkansas, Connecticut, Hawaii, Illinois, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Vermont, Virginia and Washington.