Travel technology company Sabre Corp. recently reached a deal with different states regarding the multi-state data breach case it faced back in 2017, said The National Law Review. The firm is also required to make necessary changes to its cybersecurity policies.
The incident, which took place between August 2016 and March 2017, involved a cyberattack that is believed to compromise 1.3 million customer credit cards. The cards were used for travel-related bookings on Sabre’s system.
As a result, 27 Attorney Generals of the State initiated an investigation. The filing claims that “Sabre’s cybersecurity measures were inadequate and that Sabre failed to adequately notify customers of the breach,” as per The National Law Review.
The company was able to notify some customers of the incident on June 6, 2017, while a portion of customers was only informed in 2018.
The multi-state case specified that if found liable, the company should make a $2.4 million payment, which will be divided into 27 shares for each state that filed the complaint. It is also required to outline the responsibilities of parties in a breach in its contracts using clear language.
The company is also expected to review its notification process to see if it was able to provide timely and sufficient notices to affected customers. Moreover, it needs to create and maintain a security system that can effectively address similar situations.
One of the states that initiated the investigation in New York is State Attorney General Letitia, who said, “Sabre first failed its customers with a susceptible security system, then failed them when it came to providing proper notifications.”
In a Bank of Security report, James was quoted saying, “Companies need to do a better job of notifying New Yorkers when their personal information has been breached.”
Vermont State Attorney General T.J. Donovan led the coalition. Regarding Sabre’s accountability, he said, “When a business relies on a vendor, it should be able to trust that the vendor will adequately protect its data, and it if does have a breach, respond appropriately.”
Additionally, Illinois Attorney General Kwame Raoul noted, “By not having appropriate information security measures or plans for responding to a data breach, Sabre Left information belonging to millions of consumers vulnerable.”
Aside from New York, Vermont, and Illinois, states that will receive a share in the settlement include Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington.