Cyber Incident Victim: Sabre Corporation

A travel booking giant known as Sabre Corporation found itself at the center of a significant cybersecurity event when an extortion group named Dunghill Leak publicly claimed responsibility for a data breach. The group made these claims on its dark web leak site, posting a tranche of files they alleged to have stolen from the company. In response to these public assertions, Sabre Corporation acknowledged the situation, stating it was aware of the claims made by the threat group and was actively investigating to determine their validity. The company's spokesperson, Heidi Castle, confirmed this investigative stance via email, highlighting the initial steps taken to assess the credibility of the gang's boasts. The incident garnered public attention through a news report, which detailed the extortion group's allegations and the potential scope of the compromised data.

According to the listing on its leak site, the Dunghill Leak group alleged it had successfully exfiltrated approximately 1.3 terabytes of sensitive corporate information. The data they claimed to possess was extensive and varied, encompassing critical business areas. This included databases related to ticket sales and passenger turnover, which form the core of Sabre's travel reservation services. Furthermore, the group stated they had taken personal data belonging to Sabre's employees, a serious intrusion that threatens individual privacy. The cache also purportedly contained sensitive corporate financial information, the exposure of which could have significant implications for the company's operations and market standing. To substantiate their claims, the group published a portion of the allegedly stolen files on their site, with a promise that the full cache of data would be made available soon, a common tactic used to pressure victims into paying a ransom.

Sabre Corporation operates as a major global provider of software and data that powers a vast portion of the travel industry's infrastructure. Its systems and technology are integral to airline and hotel bookings, check-in processes, and mobile applications for numerous prominent U.S. airlines and hotel chains. This central role within the travel ecosystem means that any breach of its systems has the potential to cause widespread disruption and compromise the data of countless travelers and employees. The company's prominence makes it a high-value target for cybercriminal groups seeking to extract large ransoms or cause maximum damage. The incident drew parallels to a previous security event Sabre experienced in 2017, wherein hackers had scraped a million credit cards from its hotel reservation system, leading to a multi-million dollar settlement with several states.

Evidence supporting the breach claims was provided in the form of screenshots that were published by the extortion group and reviewed by journalists. These screenshots displayed several database names that were directly related to booking details and billing information. The databases appeared to contain tens of millions of records, indicating a massive volume of potentially compromised data. However, it remained unclear from the available information whether the hackers had gained direct access to the live databases themselves or had exfiltrated copies or extracts of the data contained within them. The screenshots served as a form of proof-of-hack, a method increasingly used by ransomware and extortion groups to demonstrate the authenticity of their claims and to incentivize payment from their victims.

A particularly alarming aspect of the published data pertained to Sabre employees. Some of the screenshots contained records of employees, including their email addresses and the locations where they worked. One specific screenshot was especially sensitive, as it contained employee names, nationalities, passport numbers, and visa numbers. Several other screenshots displayed U.S. I-9 forms, which are official documents used to verify the identity and employment authorization of individuals hired to work in the United States. The compromise of such documents represents a severe violation of employee privacy and poses a substantial risk of identity theft. The data's authenticity was partially corroborated by journalists who found that several passports within the leaked cache corresponded with actual Sabre employees, including a vice president, as verified through their public LinkedIn profiles.

The exact timeline of the alleged cyberattack and data exfiltration could not be definitively determined from the publicly available information. The screenshots posted by the Dunghill Leak group, however, provided a clue regarding the age of the data. The information shown in these images appeared to be as recent as July 2022, suggesting that the breach, if genuine, occurred at some point after that date. The group itself is a relatively new actor within the cybercrime landscape. According to security researchers, Dunghill Leak evolved or rebranded from the Dark Angels ransomware operation, which itself originated from the Babuk ransomware source code. Prior to targeting Sabre, this group had claimed credit for attacks against other major corporations, including coin-operated game maker Incredible Technologies, food distribution giant Sysco, and automotive products manufacturer Gentex.

This incident exemplifies a modern trend among cybercriminal groups who increasingly forgo the traditional ransomware model of encrypting files entirely. Instead, these groups focus their efforts on data theft and extortion, threatening to publish the stolen sensitive information publicly if a ransom demand is not met. This shift in tactics, often called "double extortion" or simply "extortion," places immense pressure on victim organizations by threatening reputational damage, regulatory fines, and legal action from affected parties. Law enforcement agencies, including the FBI and international bodies, have consistently advised victims of ransomware and extortion attacks not to pay the demanded ransoms. The rationale behind this guidance is that paying ransoms fuels the criminal enterprise and does not guarantee that the stolen data will be deleted or that it will not be sold or leaked later regardless of payment. The investigation by Sabre was ongoing to ascertain the full validity and impact of the claims made by the Dunghill Leak group.