ATTORNEY GENERAL RAOUL ANNOUNCES $2.4 MILLION SETTLEMENT WITH SABRE HOSPITALITY SOLUTIONS OVER DATA BREACH
Settlement Requires Sabre to Implement Information Security Measures
Chicago — Attorney General Kwame Raoul, along with a coalition of 27 attorneys general, today announced a $2.4 million settlement with Sabre Corp. resolving a multistate investigation into the 2017 data breach of Sabre Hospitality Solutions’ hotel booking system. The breach exposed the data of approximately 1.3 million credit cards.
“By not having appropriate information security measures or plans in place for responding to a data breach, Sabre left information belonging to millions of consumers vulnerable,” Raoul said. “Today’s settlement holds Sabre accountable and, more importantly, takes steps to safeguard against a future breach and better protects consumers.”
Sabre Hospitality Solutions (Sabre), a business segment of Sabre Corp., operates the SynXis Central Reservation system, which allows business travel coordinators, travel agencies, and online travel booking companies to make reservations with hotels or hotel brands. In June 2017, Sabre informed its hotel customers of a data breach that had occurred between August 2016 and March 2017. Hotels were left to notify their customers of the breach, resulting in some notices being issued as late as 2018, and some consumers receiving multiple notices.
Under the settlement, Sabre agrees to implement and maintain a comprehensive information security program, a written incident response and data breach notification plan, specific security requirements, and undergo a third-party security assessment. In addition, Sabre’s future contracts will include language to specify the roles and responsibilities of both Sabre and its hotel customers in the event of a breach. Today’s settlement also requires Sabre to determine whether its hotel customers have notified consumers of the breach, and to provide Raoul and the coalition a list of all the customers Sabre has notified. According to the settlement, Sabre will pay the states $2.4 million.
Privacy Unit Chief Matt Van Hise, Consumer Fraud Bureau Chief Beth Blackston, and Assistant Attorneys General Carolyn Friedman and Ronak Shah handled the settlement for Raoul's Consumer Fraud Bureau.
Joining Raoul in this settlement are the attorneys general of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Vermont, Virginia and Washington.