Google Staffers Hit by Breach at Third-Party Booking Firm

Google Staffers Hit by Breach at Third-Party Booking Firm

Google has been forced to notify some of its employees that their personal and financial details have been breached as a result of an incident affecting a third-party partner.

The web giant sent affected staff a letter late last week confirming that the incident at electronic reservation system firm Sabre earlier in the year impacted Google travel provider Carlson Wagonlit Travel (CWT).

It added:

“CWT has confirmed that one or more of your hotel reservations and the name, contact information, and payment card information associated with the reservation(s) may have been compromised.”

It turns out that CWT uses the Sabre SynXis Central Reservations System (CRS), which allows individuals and firms to make hotel reservations through travel agencies.

The letter (via Bleeping Computer) continued:

“The unauthorized party was able to access the name, contact information and payment card data associated with certain hotel reservations maintained in the SynXis CRS between August 10, 2016 and March 9, 2017. Sabre’s investigation discovered no evidence that information such as Social Security, passport, and driver’s license numbers were accessed. However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation.”

The incident is yet another example of the complex web of third party partners and providers which can expose even firms with the resources of Google to potential data breaches.

Fred Kneip, CEO of Denver-based CyberGRX, argued the leak shows how tricky it is for firms to know which of these partners poses the biggest cybersecurity risk to their organization.

“A company the size of Google, whose reputation depends in large part on its ability to keep data secure, has thousands of third parties in its digital ecosystem,” he added.

“Attackers are clearly focused on the weakest links within those ecosystems – third parties like HVAC vendors and travel agencies – in order to do real damage.

In one of the biggest breaches ever recorded, US retailer Target was famously attacked in 2013 after hackers compromised an HVAC partner which had lower-grade security in place.

Source: Information Security Magazine