Cyber Incident Victim: Hard Rock International

Between August 10, 2016, and March 9, 2017, attackers gained unauthorized access to a third-party reservation system used by Hard Rock Hotels & Casinos and Loews Hotels. The breach occurred through Sabre’s SynXis hotel and travel reservation platform, where compromised account credentials allowed intruders to view reservation data for seven months. The exposed information included unencrypted credit card payment details along with guest names, physical addresses, and telephone numbers. Sabre notified both hotel chains of the incident in early June 2017 after Google employees discovered their personal information had been compromised through the same SynXis breach, which Sabre had initially disclosed in May 2017. The attackers’ access period overlapped with prior cybersecurity incidents affecting Hard Rock properties, though the reservation system compromise represented a distinct attack vector.

The breach impacted multiple Hard Rock Hotel & Casino locations globally, including properties in Biloxi, Cancun, Chicago, Goa, Las Vegas, Palm Springs, Panama Megapolis, Punta Cana, Rivera Maya, San Diego, and Vallarta. Loews Hotels reported that fewer than 15% of its average daily bookings were accessed during the intrusion window. This incident followed previous security failures at Hard Rock’s Las Vegas location, where point-of-sale malware compromised customer payment cards between September 2014-April 2015 and October 2015-March 2016. Sabre had also experienced a separate breach in August 2015 affecting American Airlines. No specific containment measures or forensic findings from the 2016-2017 breach were disclosed beyond Sabre’s June 2017 notification to the hotel chains. The incident exposed sensitive personal and financial data across multiple hospitality brands through a centralized third-party system, demonstrating recurrent vulnerabilities in the sector’s handling of reservation data.