by Robert McGarvey
What now in terms of hotel guest insecurities? Now that Sabre has disclosed a breach that may have impacted some 32,000 hotels that use the company’s data services.
This is bad. Potentially a lot worse than the many, many hotel breaches we have learned about over the past few years, at Trump through Mandarin. That’s because those hotel breaches largely were confined to systems used in bars, restaurants and gift shops. The prevention was simple: don’t used plastic at those establishments, in fact just don’t use those places at all and if you must, pay cash or sign the charges over to your room. Room-related systems, we had always heard, had not been compromised.
An exception was the recent Intercontinental Hotels breach where, it was acknowledged, reservations related data may have been hacked. IHC posted a widget for checking if hotels you have used were compromised.
That IHC breach is bad. The Sabre breach may be much worse.
Oddly, it’s gotten scant coverage in the consumer press and not a lot more in the trade press. Probably due to breach burnout.
But the Sabre breach has to be looked at closely.
Buried in Sabre’s recent 10-Q filing is this: “We are investigating an incident involving unauthorized access to payment information contained in a subset of hotel reservations processed through the Sabre Hospitality Solutions SynXis Central Reservation system. The unauthorized access has been shut off, and there is no evidence of continued unauthorized activity at this time. We have retained expert third-party advisors to assist in the investigation and are working with law enforcement. There is a risk that this investigation may reveal that PII, PCI (each as defined below), or other information may have been compromised. It is not possible at this time to determine whether we will incur, or to reasonably estimate the amount of, any liabilities in connection with this incident. We maintain insurance that covers certain aspects of our cyber risks, and we are working with our insurance carriers in this matter.”
PII data, btw, is “personally identifiable information,” meaning it potentially identifies you.
According to reporting by security blogger Brian Krebs, Sabre has said that the breach has been plugged and the situation is under control: “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected,” said Sabre in a note to its customers.
But here’s the rub: Sabre’s systems are used by literally thousands of hotels to manage guest reservations and payments. Airlines too use the systems.
Sabre has declined to share more details about the breach. Nobody knows exactly what data was lifted, for how long.
But a safe assumption is that if you have stayed in hotels and/or flown on commercial planes your payments data may now be in the hands of criminals. It may not be – because we know so few details of the hack – but caution and the hospitality industry’s track record suggests erring on the side of paranoia.
What should you do?
Start by monitoring charges, especially on the cards you use for travel expenses. Really read the monthly statements. Question anything that looks hinky.
Just stop using debit cards – ever – for travel related expenses. The protections just are not as good as they are for credit cards and, in most cases, getting wrongly used cash restored to your account can involve delays when a debit card is involved. That can be a giant hassle when a mortgage or tax payment is due and the money just is not in your account yet.
Only use credit cards at hotels and with airlines.
More advice: it’s time to stop using hotel WiFi except for the most mundane tasks. If you want to check the Yankees’ score – and I’m with you on that – sure, use hotel WiFi for checking into ESPN.
But with anything that involves a password that matters to you, use your phone’s cellular data or use the phone to create a personal hotspot to power your laptop’s surfing. Cellular data isn’t perfect but it is far, far safer than any public WiFi.
Also, use cash to pay at hotels wherever possible. Hotels have shown their cybersecurity cannot be trusted – even if the hotel is doing its job, its vendors may not be. Throwing a $10 bill on the bar for your draft beer won’t come back to haunt you.
Survey cybersecurity experts and many believe still more hotels will be breached. Why? Hard to say, except the obvious issue is that the industry has not invested in the systems and protections needed to keep guest data truly safe.
Just know this: you can’t trust hotels to keep your card data safe. Act accordingly.