Attorney General Leslie Rutledge, in a news release Wednesday, announced that her office, along with attorneys general of 26 states, has entered into a settlement with Sabre Corp. that resolves an investigation into the 2017 data breach of Sabre Hospitality Solutions’ hotel booking system.
According to the release, the breach exposed the data of approximately 1.3 million credit cards.
The settlement announced by Rutledge requires a payment of $2.4 million, of which Arkansas will receive $166,962, and injunctive relief. The money will be used to fund civil-law enforcement and consumer education efforts.
“The civil enforcement actions include both lawsuits filed in Arkansas courts and Arkansas’s participation in multistate investigations and lawsuits like this one,” said Stephanie Sharp, a spokesperson in Rutledge’s office by email. “The consumer education includes local programs and events as well as online and other resources used to inform Arkansans of their rights and to warn them of scams and bad actors.”
Sharp said that although Sabre was unable to determine the exact number of consumers affected, there was no indication that any of those consumers suffered any financial harm as the result of the breach.
Even so, Rutledge maintained that companies that fail to safely maintain consumer data will be held accountable, regardless of whether anyone is harmed financially by that failure.
“Arkansans trust companies to keep their personal information safe and private and adhere to reasonable practices to safeguard their information. When a company does not do that, it will be held responsible,” Rutledge said in the release. “This settlement sends a message to companies across the country that they must maintain secure ways to protect sensitive material. Sabre Corporation is being held accountable and will be taking critical steps to ensure this does not happen again.”
Sabre Hospitality Solutions, a business segment of Sabre, operates the SynXis Central Reservation system, which facilitates the booking of hotel reservations.
On June 6, 2017, Sabre informed its hotel customers of a breach that occurred between August 2016 and March 2017, which the business had disclosed in a Securities and Exchange Commission filing the month before. Notice to consumers was provided by the hotels, resulting in some notices being issued as late as 2018, and some consumers receiving several notices stemming from the same breach.
The settlement requires Sabre to include language in future contracts that specifies the roles and responsibilities of both parties in the event of a breach. It also requires Sabre to try to determine whether its hotel customers have provided notice to consumers, and to provide the attorneys general a list of all the hotel customers that it has notified. In addition, the settlement requires that Sabre implement and maintain a comprehensive information security program, implement a written incident response and data breach notification plan, implement specific security requirements, and undergo a third-party security assessment.
Joining Rutledge in this settlement are the attorneys general of Vermont, Connecticut, Illinois, Alaska, Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.