Hard Rock and Loews hotel chains notified guests of security breaches

Hard Rock and Loews hotel chains notified guests of security breaches, the incidents are linked to hack of the SynXis platform provided by the Sabre firm.

It has happened again, the Hard Rock Hotels and Casinos franchise is alerting guests about a possible data breach.

Customers have to monitor their bank account for suspicious activity and immediately report them.

The Hard Rock Hotels and Casinos chain learned on June 6 of a security breach, crooks gained access to payment card data for a “small subset” of customers who booked reservations through the SynXis platform provided by third-party vendor Sabre Hospitality Solutions.

In May, the Travel Tech Giant Sabre confirmed in a SEC filing it was “investigating an incident involving unauthorized access to payment information contained in a subset of hotel reservations processed through the Sabre Hospitality Solutions SynXis Central Reservation system.”

The intruders gained access to the system after hijacking an internal account on the SynXis system.

“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a statement that Sabre sent to affected properties in May. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”

The impact of the incident could be severe, the SynXis Central Reservation product is a rate and inventory management SaaS application that is currently used by more than 32,000 hotels worldwide.

Later, the company confirmed the hackers had managed to access personally identifiable data, payment card details, and other information.

Back to the present, the investigation into the Hard Rock Hotels and Casinos franchise breach concluded this week. The company notified the incident to the customers and the Federal Trade Commission.

The security breach took place between between Aug. 10 and March 9 and affected an undisclosed number of guests at 11 Hard Rock properties:

Hard Rock Hotel & Casino Biloxi, Hard Rock Hotel Cancun, Hard Rock Hotel Chicago, Hard Rock Hotel Goa, Hard Rock Hotel & Casino Las Vegas, Hard Rock Hotel Palm Springs, Hard Rock Hotel Panama Megapolis, Hard Rock Hotel & Casino Punta Cana, Hard Rock Hotel Rivera Maya, Hard Rock Hotel San Diego and Hard Rock Hotel Vallarta.

“The brand was recently notified of a security incident through third-party hotel reservation system – The Sabre Hospitality Solutions SynXis. Following an examination of evidence, Sabre alerted Hard Rock Hotels & Casinos on June 6, 2017 that an unauthorized party gained access to account credentials that permitted unauthorized access to unencrypted payment card information, as well as certain reservation information, for a subset of hotel reservations processed through the reservation system.” reads the statement issued by the company. “The investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016. The last access to payment card information was on March 9, 2017.”

“Not all of our hotels leverage Sabre Hospitality Solutions SynXis, so only a small subset were affected. Customers have been notified and Sabre has contacted the FTC,” the company said in a statement. “Hard Rock Hotels & Casinos is in the process of notifying the attorneys general’s offices as required by law.”

In June 2016 the Hard Rock Hotel & Casino in Las Vegas disclosed for the second time a data breach, customers who made purchases between October 27, 2015 and March 21, 2016 were affected by the breach.

The first one was disclosed in May 2015, when the company notified that the compromised payment cards were used between September 3, 2014 and April 2, 2015, at the restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property.

Another luxury hotel chain, Loews Hotels, reportedly also began notifying customers they were impacted by the Sabre breach.

“Luxury hotel chain Loews Hotels is warning some customers that a data breach may have resulted in financial information being stolen.” reads the NBC 10 Philadelphia.

“Hackers obtained access to credit card, security code and password information through a third-party company, Sabre, which provides booking services through travel agencies, websites and other mediums, the hotel chain said. In some cases, email, phone number, and street addresses were also taken.

Highly-sensitive information like Social Security numbers and passport information was not affected.”

The Sabre incident could have serious repercussion, this week Google has notified some employees that they may have been hit by the data breach suffered by travel technology firm Sabre.

Google notified affected employees via letter, the IT giant learned of the Sabre breach on June 16 from Carlson Wagonlit Travel (CWT).

Google notified employees that their name, contact information and payment card details may have been accessed by attackers, who breached the reservations system between August 10, 2016 and March 9, 2017.

“We recently learned that certain hotel reservations made for Google business travel were
among the many reservations affected by a security incident impacting a third-party provider’s
electronic reservation system that serves thousands of travel agencies and hotels. This did not
affect Google’s systems. However, this incident impacted one of the travel providers used by
Googlers, Carlson Wagonlit Travel (CWT).” states the letter.

“Sabre’s investigation discovered no evidence that information such as Social Security, passport, and driver’s license numbers were accessed,” Google said. “However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation.”

To protect its employee, Google opted to offer affected ones two years of identity protection and credit monitoring services.

Sabre declared that only 15 percent of the average daily bookings on the its reservation system between August and March were viewed.

“Not all reservations that were viewed included the payment card security code, as a large percentage of bookings were made without a security code being provided,” Sabre said via statement, “Others were processed using virtual card numbers in lieu of consumer credit cards. Personal information such as social security, passport or driver’s license number was not accessed. Sabre has notified law enforcement and the credit card brands as part of our investigation.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Rock Hotel, data breach)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.