Sabre Investigating Cyberattack Amid Claims of Data Exfiltration
Sabre, the travel booking giant, is currently conducting an investigation into a potential cyberattack as files allegedly stolen from the company have surfaced on a leak site operated by an extortion group. The Dunghill Leak group has taken credit for the attack, stating that they managed to obtain approximately 1.3 terabytes of data, including ticket sales databases, passenger turnover records, employees’ personal information, and corporate financial data.
A ransomware group called Dunghill Leak has claimed responsibility for a cyberattack on Sabre, resulting in the exposure of sensitive data. Sabre is currently investigating the incident to determine the extent of the breach. The leaked information includes databases related to ticket sales and passenger turnover, employees’ personal data, and corporate financial details.
Sabre spokesperson, Heidi Castle, confirmed the awareness of the claims made by the threat group and emphasized that the company is actively working to ascertain the validity of the cyberattack. Sabre provides a travel reservation system and plays a crucial role in handling air passenger and booking data, powering airline and hotel bookings, check-ins, and various related applications. Numerous major airlines and hotel chains in the United States rely on Sabre’s technology.
Data Exposed in the Attack
The leaked information includes screenshots displaying various database names associated with booking details and billing, potentially containing tens of millions of records. It remains uncertain whether the hackers had direct access to the databases themselves. Some of the screenshots revealed details about employees, such as email addresses and work locations. Moreover, employee names, nationalities, passport numbers, and visa numbers were exposed in one screenshot. Additionally, official forms required for employment authorization in the United States, known as I-9 forms, were found in the leaked data. LinkedIn profiles confirmed that the passports corresponded to Sabre employees, including a vice president.
The exact timeframe of the breach is unknown, but the screenshots posted by Dunghill Leak indicate that the exposed data is as recent as July 2022.
About the Dunghill Leak Ransomware Group
Little is known about the Dunghill Leak group, except that it is a relatively new ransomware and extortion group, potentially an evolution or rebranding of the Dark Angels ransomware previously associated with the Babuk ransomware. Security researchers at Malwarebytes have attributed the group’s activities to targeting notable organizations such as coin-operated game maker Incredible Technologies, food giant Sysco, and automotive products manufacturer Gentex.
It is worth mentioning that ransomware and extortion groups often forego encrypting files and instead focus on threatening to expose sensitive data if their ransom demands are not met. Law enforcement agencies, including the FBI, have consistently advised against paying ransoms in these situations.
This incident marks another security breach for Sabre, following a previous incident in 2017 where hackers compromised a million credit cards from its hotel reservation system. The company settled allegations brought by multiple states, paying $2.4 million as a result of the breach.
For any further information, contact Zack Whittaker via Signal and WhatsApp at +1 646-755-8849, or reach out by email. SecureDrop is also available for sending files and documents securely.