Cyber Incident Victim: Sabre Corporation
Date:
May 2017
Location:
United States of America
Summary
A cybersecurity incident at Sabre Corp.'s hospitality division involved unauthorized access to payment and customer data within its SynXis Central Reservations system, used by over 32,000 lodging properties. The breach compromised a subset of hotel bookings, potentially exposing sensitive payment information, though the company confirmed no other systems were affected and halted the unauthorized activity. Sabre engaged forensic experts and law enforcement, noting no evidence of continued intrusion. The incident occurred amid broader hospitality sector vulnerabilities, where point-of-sale intrusions and payment data theft were prevalent. While the exact scope and duration remained unclear, the scale of the reservation system suggested significant exposure risks for customer credit cards processed through the platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 2, 2017, Sabre Corp., a major travel industry technology provider based in Southlake, Texas, disclosed unauthorized access to payment and customer data within its Hospitality Solutions SynXis Central Reservations system. The breach impacted a subset of hotel reservations processed through SynXis, a SaaS platform used by over 32,000 lodging establishments globally for managing rates, inventory, and distribution. Sabre initiated an investigation with cybersecurity firm Mandiant, notified law enforcement, and assured customers that the unauthorized access had been terminated with no evidence of ongoing malicious activity. The company confirmed the breach was isolated to the SynXis Central Reservations system, with no compromise detected across its broader portfolio of airline, mobile, or distribution solutions. While Sabre’s SEC filing acknowledged the incident, specific details regarding the breach duration, root cause, and total affected reservations remained undisclosed at the time of reporting. The scale of potential exposure was significant due to SynXis processing transactions for tens of thousands of properties, raising concerns about the volume of payment cards at risk.
The incident occurred amid a surge in hospitality sector breaches, including a separate malware-based attack affecting over 1,200 Intercontinental Hotel Group properties that same year. Verizon’s 2017 Data Breach Investigations Report highlighted accommodation as the most targeted industry for point-of-sale intrusions, accounting for 87% of breaches in that category. Unlike many hotel breaches involving POS malware at individual properties, Sabre’s incident centered on its centralized reservation infrastructure, potentially magnifying the impact across multiple client organizations. Historical precedents included breaches at Hilton, Hyatt, Starwood, and Trump Hotels, often involving card-skimming malware on front-desk or restaurant systems. Sabre’s role as a critical intermediary processing $110 billion in annual travel spend amplified concerns about systemic vulnerabilities in travel industry supply chains. The breach underscored persistent challenges in breach detection timelines, with Verizon noting industry-wide patterns of rapid compromise, delayed discovery, and prolonged containment. No specific customer notification figures or financial impacts were disclosed by Sabre in the initial announcement.