Sabre Data Security Incident

Sabre Data Security Incident Impacting Hotel Guest Payment Card Information

Four Seasons Hotels

Four Seasons Hotels and Resorts was recently informed of a data security incident at Sabre, a third-party hotel reservations provider to thousands of hotel properties, including those managed by Four Seasons. The incident involved unauthorized access to certain guest information associated with a subset of hotel reservations processed through Sabre's SynXis Central Reservations System (CRS) from August 10, 2016 until March 9, 2017. Sabre has confirmed that the issue has been contained and the unauthorized access has been revoked, but some guest information may have been compromised as a result of the incident.  

What Happened

The Sabre CRS facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies, and similar booking services. Following an examination of forensic evidence, Sabre confirmed to Four Seasons Hotels and Resorts on June 6, 2017 that an unauthorized party gained access to account credentials that permitted unauthorized access to certain unencrypted payment card information, as well as certain reservation information, for a subset of hotel reservations processed through Sabre's system.

Sabre's investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016. The last access to payment card information was on March 9, 2017. Sabre's investigation did not uncover evidence that the unauthorized party removed any information from the system, but it is a possibility.

Sabre's CRS platform serves thousands of hotel properties in all market segments from independent properties to large global chains; many of these companies and other travel partners have been impacted by this incident. As a result, affected individuals may receive multiple notifications about this incident from multiple hotel properties or hotel brands, credit card companies, or other travel partners. 

Reservations made on Fourseasons.com, with Four Seasons Worldwide Reservations Office, or made directly with any of Four Seasons 105 hotels or resorts were not compromised by this incident.

What Information was Involved

The unauthorized party was able to access payment card information for certain hotel reservation(s), including cardholder name; payment card number; card expiration date; and, potentially, card security code. The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other information. Information such as Social Security, passport, or driver's license number was not accessed.

What Sabre is Doing

Sabre has engaged a leading cybersecurity firm to support its investigation. Sabre also notified law enforcement and major credit card brands about this incident so that they can coordinate with card issuing banks to monitor for fraudulent activity on cards used.

What Affected Individuals Can Do

Affected individuals should remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity. If there is any suspicious or unusual activity on accounts, affected individuals should report it immediately to their financial institutions, as major credit card companies have rules that restrict them from requiring payment for fraudulent charges that are timely reported.

For More Information

Four Seasons is working closely with Sabre to ensure Four Seasons guests are notified in a timely manner and provided with appropriate information.  Guests with available email or mailing addresses have been sent notification of this incident commencing on July 6, 2017. 

For further questions regarding this incident or to determine whether your reservation has been impacted, please call the dedicated toll-free response line at 800-442-8960 (U.S. and Canada) and 503-520-4461 (international).  This response line is staffed with professionals familiar with Sabre's data security incident and knowledgeable on what affected individuals can do to protect against misuse of their information.  The response line is available 24 hours a day, Monday through Friday, with voicemail available outside of those hours. Translation services are available at the response line.  

For additional information visit http://sabreconsumernotice.com



Logos, product and company names mentioned are the property of their respective owners.