Cyber Incident Victim: Google

The breach impacting Google employees originated from a compromise of Sabre Hospitality Solutions' SynXis Central Reservation System, a platform utilized by tens of thousands of hotels globally to manage reservations through travel agencies. Unauthorized access to Sabre's systems occurred between August 10, 2016, and March 9, 2017, during which an attacker exfiltrated personal data including employee contact details and payment card information. The breach was initially identified through Sabre's SEC filings in early May 2017 by security researcher Brian Krebs. Sabre subsequently notified its clients, including Carlson Wagonlit Travel (CWT), Google's designated corporate travel management provider. CWT then alerted Google to the potential exposure of employee data related to work-related hotel bookings processed through the compromised SynXis platform. Due to Sabre's 60-day data retention policy for reservation records, Google could not definitively ascertain which specific employee records were accessed during the attacker's prolonged presence in the system.

Google initiated notifications to affected employees in July 2017, clarifying that the breach stemmed from a third-party vendor rather than internal security failures. The company offered two years of complimentary identity protection and credit monitoring services to mitigate potential financial fraud risks. While the incident involved a limited number of staff compared to broader corporate breaches, it underscored persistent third-party risks. This marked at least the second exposure of Google employee data via external vendors within a year, following a May 2016 incident where a benefits manager erroneously transmitted a file containing names and Social Security numbers to an unauthorized recipient. The Sabre breach had wider industry implications, prompting advisories for all travelers who booked accommodations through agencies using SynXis during the intrusion period to verify potential data exposure.