14 DAY TRIAL // UPDATE: CWT has provided us a statement to emphasize that the company isn't using the SHS software. Original story follows after the statement.
"CWT was informed by Sabre that some traveler data had been viewed by an outside party due to a breach of Sabre’s Hospitality Solutions / SynXis Central Reservation system (“SHS”), which provides reservations technology and support to hotels.
SHS is not a CWT technology platform or a solution used by CWT. CWT has proactively notified potentially impacted customers and encouraged them to visit the Sabre microsite (which includes call center details)."
ORIGINAL STORY: The travel agency in charge of hotel bookings for Google’s employees has suffered a breach, with details such as names, contact details, and credit card information possibly exposed.
Google has already issued a warning to the State of California and sent a letter to affected employees, explaining that Social Security numbers, passport, and driver’s license information were not compromised.
The breach impacted a reservation system called Sabre Hospitality Solutions SynXis, which is also being used by Carlson Wagonlit Travel (CTW), a travel agency that makes hotel bookings for Google employees leaving on business trips.
Hackers had access to the software for several months
Sabre first learned about the breach in early May and started notifying customers shortly after that. More than 32,000 hotels worldwide are said to be using the reservation system.
“Sabre notified CWT, which uses the SynXis CRS, that an unauthorised party gained access to personal information associated with certain hotel reservations made through CWT. CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travelers were affected,” Google explained in a letter submitted to affected employees.
“Sabre's investigation discovered no evidence that information such as Social Security, passport, and driver's licence numbers were accessed. However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation.”
Google goes on to explain that names, contact information and credit card details might have been exposed, revealing that hackers had access to the reservation system for several months between August 10, 2016 and March 9, 2017.
Google is offering employees 24 months of complimentary identity protection and credit card monitoring services, recommending everyone to “remain vigilant” for incidents of fraud and identity theft. Google employees who believe they might be victims of identity theft are recommended to contact the FTC or the police.