AG Dave Yost agrees to Settlement with Sabre Hospitality after multistate investigation
The AG says that during data breaches, the company involved needs to take more responsibility.
COLUMBUS, Ohio — Ohio Attorney General Dave Yost has agreed to a settlement with Sabre Corporation after a multistate investigation involving 27 states of the data breach of Sabre Hospitality Solutions’ hotel booking system..
The breach exposed the data of approximately 1.3 million credit cards. The settlement provides injunctive relief and requires a payment of $2.4 million, of which Ohio will receive over $81,000.
“Sabre’s customers seeking hotel reservations were also booked on a hacker’s hard drive,” Yost said. “And instead of fessing up to it, Sabre forced the hotels to apologize for its mistakes — but now it’s time to face facts.”
Sabre Hospitality Solutions, a business segment of Sabre, operated a reservation system for hotels. Sabre facilitated hotel reservation bookings between business travel coordinators, travel agencies and online travel booking companies and Sabre’s hotel customers.
On June 6, 2017, Sabre informed its hotel customers of a data breach that occurred between August 2016 and March 2017 on the reservation system. Sabre did not inform consumers directly, instead leaving notification to the hotels.
Notice to consumers was provided by the hotels, resulting in some notices being issued as late as 2018, and some consumers received multiple notices stemming from the same breach.
The settlement requires Sabre to include language in future contracts that specifies the roles and responsibilities of both parties in the event of a breach. In addition, the settlement requires that Sabre implement and maintain a comprehensive information security program, implement a written incident response and data breach notification plan, implement specific security requirements and undergo a third-party security assessment.