Attorney General Curtis Hill and 26 other attorneys general have agreed to a settlement with Texas-based Sabre Inc. that resolves an investigation into a 2017 data breach of Sabre Hospitality Solutions’ hotel-booking system. Under the settlement, Hill’s office says Sabre must pay $2.4 million, which will be distributed to Indiana and the 26 other states, and Indiana will receive more than $61,000 and injunctive relief.
The breach, which exposed the data of about 1.3 million credit cards, included some belonging to Indiana residents.
“Sabre waited for months to tell consumers that their personal financial information had been exposed in a data breach. That lag is unacceptable,” said Attorney General Hill. “We are pleased that Sabre has agreed to measures in this settlement that will ultimately enhance its cybersecurity preparedness. This will benefit not only the company, but also the Hoosiers who use the company’s services.”
Additionally, Hill’s office says the settlement requires Sabre:
- to include language in future contracts that specifies the roles and responsibilities of both parties in the event of a data breach
- to try to determine in the event of a data breach whether its customers have provided notice to consumers, and to provide the attorneys general a list of all customers it has notified
- to implement and maintain a comprehensive information security program
- to implement a written incident response and data breach notification plan
- to implement specific security requirements
- to undergo a third-party security assessment