According to ZD Net, both incidents appear to have been linked to a third-party reservation platform from Sabre Hospitality, called SynXis, which only begun informing client hotels of the security breach in June 2017, months after the attacks took place.
Hard Rock Hotels & Casinos, which operates 176 cafes, 24 hotels and 11 casinos in 75 countries, said SynXis, the infrastructure used for reservations made through hotels and travel agencies, provided the avenue for data theft and the exposure of customer information.
The attacker stole unencrypted payment card information for hotel reservations, including cardholder names, card numbers, and expiration dates. Furthermore, in some cases, security codes were also exposed, alongside guest names, email addresses, phone numbers, and addresses. Loews Hotels also appears to be a victim of the same security failure.
“The unauthorized party first obtained access to payment card and other reservation information on August 10, 2016,” the hotel chain said. “The last access to payment card information was on March 9, 2017.” Therefore, customers that stayed in one of these properties on the dates mentioned above, could be at risk of identity theft should the attackers choose to sell their stolen cache of data.
While Sabre has not revealed exactly how the system was breached, the company has hired third-party cybersecurity company Mandiant to investigate.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now