Cyber Incident Victim: Loews Hotels

Loews Hotels notified customers in July 2017 of a data breach involving unauthorized access to reservation systems managed by Sabre, a third-party booking service provider. The breach occurred over a seven-month period from August 2016 through March 2017, during which attackers obtained financial information including credit card numbers, security codes, and passwords associated with hotel bookings. In some instances, additional personal details such as email addresses, phone numbers, and physical addresses were also compromised. Sabre detected the intrusion and alerted Loews in June 2017, approximately three months after the unauthorized access concluded. The attackers specifically targeted booking data processed through Sabre's systems, which handled reservations made via travel agencies, websites, and other platforms. Loews emphasized that highly sensitive information like Social Security numbers and passport details remained unaffected.

Sabre's investigation revealed that the hackers accessed fewer than 15% of the average daily bookings processed during the breach window. Upon notification, Loews initiated customer communications advising vigilance in monitoring credit card statements and credit reports for fraudulent activity. The hotel chain directed affected individuals to contact their financial institutions immediately if suspicious transactions were identified. No evidence suggested misuse of the stolen data prior to the disclosure. The incident exclusively impacted bookings managed through Sabre's infrastructure, with no direct compromise of Loews' internal systems. Sabre and Loews did not disclose the total number of affected guests or specific technical details about the attack methodology.