Cyber Incident Victim: Four Seasons Hotels and Resorts
Date:
Aug 2016
Location:
United States of America
Summary
Four Seasons Hotels and Resorts was impacted by a third-party data breach involving Sabre Corporation's SynXis Central Reservations system, which processed bookings for multiple hospitality chains. Unauthorized access to the platform compromised customer payment card data from reservations handled through Sabre's service, though the hotel chain confirmed its own systems were not directly breached. The incident affected numerous properties across several hotel groups, including Trump Hotels, Hard Rock, and Loews, with Sabre notifying impacted partners months after the intrusion. Compromised information was limited to transactions processed via the third-party provider, highlighting systemic risks in hospitality sector supply chains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The breach impacting Four Seasons Hotels and Resorts originated from a cybersecurity incident at Sabre Corporation, a third-party hospitality technology provider. Sabre publicly disclosed in May 2017 that an unauthorized attacker had infiltrated its SynXis Central Reservations system, a platform used by numerous hotel chains to manage bookings. Four Seasons, alongside Trump Hotels, Hard Rock Hotels & Casinos, and Loews Hotels, notified customers in July 2017 that payment card data from reservations processed through SynXis between August 10, 2016, and March 9, 2017, was compromised. Sabre alerted these hotel chains to the breach on June 5 or 6, 2017, prompting them to issue public statements. Four Seasons emphasized that its internal systems remained secure and that only reservations handled by Sabre’s platform were affected. Unlike Trump, Hard Rock, and Loews, which identified specific impacted properties in their disclosures, Four Seasons’ public communication primarily consisted of a standardized letter provided by Sabre without enumerating affected locations.
The incident exposed customer payment information tied to reservations made during the nearly seven-month breach window. All affected hotel chains uniformly stated that the compromise was confined to Sabre’s systems, absolving their own networks of direct intrusion. This marked at least the third data breach involving Trump Hotels since 2014, including a prior incident resulting in a $500,000 fine from the New York Attorney General’s office. Hard Rock had also experienced a separate point-of-sale malware breach in 2016. The Sabre breach’s full scope remained unclear at the time of disclosure, with industry analysts speculating additional hotel chains might later report similar impacts. No specific details regarding the number of affected Four Seasons customers, forensic findings about the attacker’s methods, or financial losses directly attributed to the breach were disclosed in the available statements. The hotels directed concerned customers to contact Sabre for further information while reiterating their reliance on third-party providers for reservation services.