nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Whoa, bad trip, man: Google workers' info exposed during travel-booking software hack

Chocolate Factory warns staff, Cali officials of security blunder

By Shaun Nichols, 30 Jun 2017

Google says some employees may have had their personal information exposed after the software system that handles its company travel bookings got hacked.

The Mountain View ads broker said in a form letter [PDF] sent to employees – and the state of California – that information including names, contact details and payment card numbers used for hotel bookings had been lifted.

The stolen data was not the result of any attack or leak on Google's end. Rather, it was data plundered earlier this spring when the Sabre Hospitality Solutions SynXis reservation system was compromised.

One of the agencies relying on the SynXis reservation system was Carlson Wagonlit Travel (CWT), which Google pays to handle booking rooms for business trips. As it turns out, the details for some of those Google trips were among the hackers' haul.

"Sabre notified CWT, which uses the SynXis CRS, that an unauthorized party gained access to personal information associated with certain hotel reservations made through CWT," Google told its workers. "CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travelers were affected."

While Google doesn't think the stolen info goes beyond contact information and payment cards, it notes that, thanks to Sabre's data retention policies, it can't be too sure.

"Sabre's investigation discovered no evidence that information such as Social Security, passport, and driver's license numbers were accessed," the Chocolate Factory warned.

"However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation."

Now, Google says it will be footing the bill for two years' worth of identity and credit monitoring services for the employees whose info was stolen. In addition to the paid services, Google is advising employees to keep a close eye on their bank statements and dispute any fraudulent charges that might be made with the stolen cards. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing