Hard Rock Hotel data breach

Hard Rock Hotels & Casino has been hit by a cyber-attack that occurred through a third-party hotel reservation system.

A cyber-attack is thought to have happened on 10^th August 2016 where a hotel reservation system, run by Sabre Hospitality Solutions SynXis, was breached. When the breach was discovered, Sabre informed Hard Rock Hotels & Casinos of the breach; but this wasn’t until June 2017.

That’s a long time to pass before a breach is identified…

What information was accessed?

An unauthorised party reportedly accessed account details, which then allowed them access to unencrypted payment card details (including payment card numbers, card expiration dates and payment card security codes), guest names, emails, phone numbers, addresses and reservation information that was processed through the system.

Sabre contends that social security numbers, passport numbers and/or driver’s licence numbers weren’t accessed. But the information accessed is serious enough…

A year of unauthorised access?

Upon investigating the matter, it was discovered that the unauthorised party obtained access to payment card details and reservation information on 10^th August 2016. The investigation also revealed that the last access to payment card details was on 9^th March 2017.

It appears that Hard Rock systems were accessible for almost a year. Sabre has hired a leading cyber-security firm, Mandiant, to investigate the matter as well as notifying law enforcement agencies and banks about the security incident. It seems a little late to hire a cyber-security firm now when they’ve already allowed their systems to be vulnerable for almost a year…

They’ve tried to reassure guests that there’s no evidence of any continued unauthorised activity, but how can they be fully certain that that’s not the case?

What hotels were affected?

The Hard Rock brand has a global presence in countries around the world. The following hotels have reportedly been affected within this period:

• Hard Rock Hotel & Casino Biloxi;
• Hard Rock Hotel Cancun;
• Hard Rock Hotel Chicago;
• Hard Rock Hotel Goa;
• Hard Rock Hotel & Casino Las Vegas;
• Hard Rock Hotel Palm Springs;
• Hard Rock Hotel Panama Megapolis;
• Hard Rock Hotel & Casino Punta Cana;
• Hard Rock Hotel Rivera Maya;
• Hard Rock Hotel San Diego;
• Hard Rock Hotel Vallarta.

Sabre released a consumer website for those who booked a hotel reservation from 10^th August 2016 to 9^th March 2017. It notes they’ve been directed to this site as the incident may have affected customers who used payment cards to make reservations. They noted that:

“…a large percentage of bookings were made without a security code being provided. Others were processed using virtual card numbers in lieu of consumer credit cards.”

Notification

Sabre began notifying customers and partners who use or interact with the SynXis system. They’ve also issued an apology. In a statement, they said:

“…the Sabre team sincerely regrets this incident, and we appreciate the support and collaboration our partners have shown during this investigation.”

However, it doesn’t take away from the fact that guests could fall victim to further cyber-attacks and fraudulent activity.

Recurring breach?

This doesn’t appear to be the first time that Sabre’s system has been hacked. In May, Sabre revealed that its booking system was compromised when there was a threat that people’s payment card details were revealed.

Google also warned their employees of suspicious activity on their payment cards when one of its travel agencies, Carlson Wagonlit Travel, was exposed to the SynXis breach.