For Immediate Release:
Wednesday, December 23, 2020
Laura Brewer (919) 716-6484
(RALEIGH) Attorney General Josh Stein today reached a $2.4 million multistate settlement with Sabre Corporation over a 2017 data breach of the company’s hotel booking system that exposed the data of approximately 1.3 million credit cards. North Carolina will receive $76,019.85 and injunctive relief.
“Companies that have access to people’s personal and financial information must ensure they do enough to protect that information,” said Attorney General Josh Stein. “I’m pleased that as a result of today’s settlement, Sabre will put in place needed measures to secure consumer data.”
Sabre’s hotel booking system connects business travel coordinators, travel agencies, and online travel booking companies with hotel customers. On June 6, 2017, Sabre informed its hotel customers of a data breach that had occurred between August 2016 and March 2017, which the business had disclosed in a 10-Q SEC filing the month before. The hotels provided notice to consumers, but some consumers received their notices late and some received multiple notices stemming from the same breach.
The settlement requires Sabre to:
- Specifies the roles and responsibilities of both parties in the event of a breach in future contracts.
- Try to determine whether its customers have provided notice to consumers, and to provide the attorneys general a list of all the customers that it has notified.
- Implement and maintain a comprehensive information security program.
- Implement a written incident response and data breach notification plan.
- Implement specific security requirements.
- Undergo a third-party security assessment.
Attorney General Stein is joined in this settlement by the Attorneys General of Vermont, Arkansas, Connecticut, Illinois, Alaska, Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, New York, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.
More information about security breaches and protecting yourself from identity theft is available at http://ncdoj.gov/idtheft.