On December 23, 2020, the attorneys general of twenty-seven states announced that they had reached a $2.4 million settlement with Sabre Corporation, a travel technology company headquartered in Texas, to resolve the states’ investigations of a 2017 data breach of Sabre Hospitality Solutions’ hotel booking system.
The breach began with the compromise of an administrator-level account, and allowed its perpetrators to view payment card information on multiple occasions between August 2016 and March 2017, compromising as many as 1.3 million cards. Although two security incidents should have alerted Sabre to the hacker’s activity, Sabre failed to investigate until April 2017, when online travel agencies began reporting suspicious activity connected with Sabre Hospitality’s reservation system. Sabre disclosed the breach in a filing with the US Securities and Exchange Commission in May 2017, and a day later notified the payment card brands, but took nearly two more months to notify its affected hotel customers who, in turn, informed consumers of the breach, a process that took several more months.
In addition to the monetary penalty, the settlement requires Sabre to comply with federal and state breach notification laws, provide reports on any breaches it experiences, include certain data security provision in its contracts, and establish and regularly review a written information security program (which must be implemented by a company executive or officer). Further, a third party assessor will review Sabre’s information security program and issue a report to the attorney general of Vermont (as the lead plaintiff in the litigation).