The Four Seasons, Hard Rock, Loews and now the Trump hotels have reported (link to Skift story) that they and their customers have been impacted by the Sabre data breach reported in May in attacks believed linked to the SynXis travel reservation platform. IT security experts commented below.
Lisa Baergen, Director of Marketing at NuData Security:
“While the full scope of the Sabre breach announced earlier this spring is still not yet known (and perhaps might never be fully known, given the global reach of the Sabre reservations network). What is known, is that more and more hospitality chains are now announcing that customers have been impacted and the breach of their consumers’ personal financial information is damaging to both the customers and to the brands they’ve come to trust.
“Whenever personally identifiable information (PII) is compromised by a third-party provider such as Sabre, the looted consumer data can be made available to be cross-correlated with details from a plethora of other breaches and social platforms to create comprehensive digital identities. These full packages of identity information are more valuable to hackers, rendering the potential victims susceptible to fraud, identity theft, account takeovers. And for the brands themselves, likely that these impacted consumers will be potentially less loyal to their brands of choice.
“Every organization entrusted with PII – both the direct-to-consumer providers such as the hospitality chains and the third parties such as Sabre – should constantly be testing and hardening their defenses, and embracing more proactive, and effective levels of security such as consumer behavior analytics solutions to help prevent identity thefts. These sorts of breaches are now just too widespread to justify continued faith in legacy approaches, and too much consumer data is now ‘in the wild’ to protect consumers with outdated technology.
“Consumers need to accept it isn’t a matter of if they will be impacted anymore with the widespread proliferation of breaches; but when. Organizations charged to protect this data need to be more judicious and find a multilayered solution that better balances customer experience and security. Old point solutions, simple second factor approaches, or putting up walls no longer suffice.”
Michael Magrath, Director, Global Regulations and Standards at VASCO Data Security:
“How widespread the Sabre breach was won’t be known for several months. Four Seasons, Loews and Hard Rock may just be the top of the iceberg. As presented at this week’s 2017 DHS Cyber Security R&D Showcase and Technical Workshop in Washington, DC, it often takes over 4 months for organizations to discover a breach. Cyber criminals continue to penetrate under secure systems, often targeting usernames and static passwords or compromising unsecure mobile applications. Organizations must deploy multifactor authentication as part of an overall layered security approach. Additionally, mobile application shielding with RASP technology should be considered.”