New Jersey will receive $70,260 from a multi-state settlement with Sabre Corp. that resolves the investigation of a 2017 data breach involving its hotel booking operations unit Sabre Hospitality Solutions.
The breach affected 1.3 million credit cards nationwide and compromised data including CVV numbers and expiration dates.
Sabre will pay the 27 participating states a total of $2.4 million, and must now strengthen its data security safeguards and clarify the protocols for notifying consumers when a data breach occurs.
“Settlements like this one require companies to do a better job of protecting consumers going forward,” said Attorney General Grewal in a prepared statement. “In a world where online transactions have proliferated and payment through credit cards and phone apps is often preferred, businesses have a duty not only to adopt cybersecurity measures that protect consumers’ sensitive information but to ensure consumers are notified sooner than later when a breach compromises their personal information.”
Sabre Hospitality Solutions’ SynXis Central Reservation system facilitates hotel reservation bookings by connecting business travel coordinators, travel agencies and online travel booking companies on one end to Sabre’s hotel clients on the other.
Sabre experienced a data breach between Aug. 2016 and March 2017. The company informed its hotel clients of the breach on June 6, 2017, after previously disclosing the breach in a Securities and Exchange Commission filing in May.
However, the company didn’t notify actual hospitality consumers, instead leaving the task up to the client hotels. Some consumers didn’t receive notice until 2018, and some were repeatedly notified of the same breach.
Wednesday’s settlement requires Sabre to take steps to decipher whether client hotels have provided notice to consumers, and to provide the participating attorneys general with a list of all the client hotels it has notified.
Sabre must also develop and implement a written incident response and data breach notification plan, and include language in future contracts that specifies the roles and responsibilities of both parties in the event of a data breach.
Additionally, the settlement requires that Sabre implement and maintain a comprehensive information security program, specific security requirements and undergo a third-party security assessment.
“When booking travel accommodations, hospitality consumers are typically asked – and often required — to provide credit card and other sensitive personal information,” said Division of Consumer Affairs Director Paul Rodríguez in a prepared statement. “Given this reality, consumers have a right to expect their information will be protected, and that they will be notified ASAP if a breach occurs that impacts them. This settlement includes terms designed to ensure that Sabre not only improves its data protection systems going forward, but also develops clear lines of responsibility for notifying consumers of any breach.”
Deputy Attorney General Kashif Chand, chief of the Data Privacy & Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group, and Deputy Attorney General Gina Pittore of the Data Privacy & Cybersecurity Section handled the Sabre Hospitality matter on behalf of the state.
Attorney General Grewal is joined on the settlement by attorneys general of Vermont, Arkansas, Connecticut, Illinois, Alaska, Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.