Sabre has finished its investigation into a previously announced security breach impacting its SynXis hotel reservation system and concluded that "an unauthorized party accessed certain payment card information."
The incident came to light at the start of May.
In an update last night, Sabre said a limited subset of bookings made through SynXis were "accessed", of which only a certain number were then "viewed".
It has brought in global corporate services business Epiq Systems to handle the consumer-facing elements of the data breach. A dedicated microsite has been set up, to where consumers are directed.
This site offers more detail than the statement into what was accessed and/or viewed:
The unauthorized party was able to access payment card information for hotel reservations, including cardholder name; payment card number; card expiration date; and, for a subset of reservations, payment card security code.The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other information.Information such as Social Security, passport, or driver’s license number, was not accessed.
The consumer site also reveals that the breach was made possible by the hacker "gaining access to account credentials that permitted [the] unauthorized access."
The breach has been shut and Sabre says that no other systems - specifically distribution and airline solutions - were affected.
The unauthorized access happened over a seven-month period, from August 16 to March 17.
Sabre first announced it was looking into the incident in a 10Q filing in the "contingencies/legal proceedings" section. There is no indication in today's statement about the amount, if any, of its financial liability related to the incident.