Ohio To Receive $81K In $2.4M Reservation Data Breach Settlement

COLUMBUS, OHIO —The state of Ohio will receive a settlement of $81,000 after Attorney General Dave Yost announced the results of a widespread investigation involving 27 states and the breach of a hotel booking system that compromised 1.3 million credit cards.

The data breach took place within Sabre Hospitality Solution’s hotel booking system in the more than two dozen states, including Ohio, Yost said in a news release. The settlement agreement provides injunctive relief and requires a total payout of $2.4 million.

Sabre Hospitality operated a hotel reservation system and facilitated bookings between business travel coordinators, travel agencies, online booking companies and Sabre’s hotel customers, the release said. In June 2017, Sabre alerted its hotel customers that a data breach had occurred between August 2016 and March 2017 involving its reservation system. The company did not alert customers directly, but instead notified hotels directly, Yost said.

Customers were then notified by the hotels but some did not receive word of the breach until as late as 2018 and some customers received multiple notices stemming from the same breach, the news release states.

The settlement requires Sabre to include language in future contracts that specifies the roles and responsibilities of both parties in the event of a breach, Yost said in the release. The settlement also requires the company to maintain a comprehensive information security program and begin a written incident response program and data breach notification plan as well as specific security requirements.

“Sabre’s customers seeking hotel reservations were also booked on a hacker’s hard drive,” Yost said in the news release. “And instead of fessing up to it, Sabre forced the hotels to apologize for its mistakes – but now it’s time to face facts.”