Third-party breach affecting Four Seasons contained

Four Seasons Hotels and Resorts learned of a data security breach at Sabre Hospitality Solutions, a third-party hotel reservations provider working with the company. The intrusion compromised payment card data and other information pertaining to a limited number of consumers. Four Seasons confirmed the issue has been contained and no unauthorized access to Sabre's system currently exists.

The hotel chain also emphasized that guests who made reservations through Fourseasons.com, the Four Seasons Worldwide Reservations Office, or directly through any of its hotels and resorts were not affected by the incident. The impacted reservations were made through such nondirect channels as online travel agencies and travel agents, which are processed through Sabre Hospitality Solutions SynXis Central Reservation System.

Breach, investigation, aftermath

Four Seasons disseminated the following details about how the intrusion occurred, how it is being investigated and how consumers can protect themselves:

  • What happened: The Sabre SynXis Central Reservation System facilitates the booking of hotel reservations made by consumers through online travel agencies, travel agents and similar booking services. Following an examination of forensic evidence, Sabre informed Four Seasons Hotels and Resorts on Dec. 15, 2017, that an unauthorized party gained access to Sabre support account credentials. Based on Sabre's level of access, the unauthorized party was able to view certain unencrypted payment card information, as well as certain reservation information, for a subset of Four Seasons reservations processed through Sabre's system.
  • Duration of unauthorized access: Sabre's investigation determined that the unauthorized party obtained brief access to payment card and other reservation information on Oct. 21, 2017. Sabre's investigation did not uncover evidence that the unauthorized party removed any information from the system, but it is a possibility.
  • Information involved: The unauthorized party was able to access payment card information for certain hotel reservation(s), including cardholder name; payment card number; card expiration date; and, potentially, card security code. The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other information. Personal information such as Social Security, passport, or driver's license number was not accessed.
  • What Sabre is doing: Sabre has engaged a leading cybersecurity firm to support its investigation. Sabre also notified law enforcement and major credit card brands about this incident so that they can coordinate with card issuing banks to monitor for fraudulent activity on cards used.
  • What affected individuals can do: Affected individuals should remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity. If there is any suspicious or unusual activity on accounts, affected individuals should report it immediately to their financial institutions, as major credit card companies have rules that restrict them from requiring payment for fraudulent charges that are timely reported.

Four Seasons also said it is "working closely with Sabre to ensure Four Seasons guests are notified in a timely manner and provided with appropriate information. Impacted guests with available email or mailing addresses have been sent notification of this incident commencing on Jan. 15, 2018."