Travel booking platform Sabre listed as compromised by Dunghill Leak group
Learn More
Sabre, a leading travel booking company, is looking into potential cyberattack claims after a collection of files allegedly stolen from the company surfaced on a leak site maintained by an extortion group Dunghill Leak.
Sabre confirmed awareness of the claims made by the threat group regarding data exfiltration and stated that they are actively investigating to verify the authenticity of these claims.
The hackers asserted their involvement in a listing on its dark web leak site and claimed to have acquired approximately 1.3 terabytes of data, including databases containing
- ticket sales records,
- passenger information,
- personal data of employees,
- sensitive corporate financial information.
The group provided a partial sample of the stolen files and mentioned that the entire cache would be released soon.
Screenshots that have come to light show database names linked to booking details and billing, potentially containing tens of millions of records, although it remains uncertain whether the hackers had direct access to the databases themselves. Some of these screenshots contained employee-related information, including
- email addresses,
- work locations,
- names,
- nationalities,
- passport numbers,
- visa numbers.
- U.S. I-9 forms of authorized U.S. employees
The exact timing of the alleged breach remains unknown, but the screenshots provided by the extortion group suggest that the data they possess is as recent as July 2022. The number of affected individuals remains undisclosed.
Passport details found in the cache corresponded to Sabre employees, including a Sabre vice president based on their LinkedIn profiles.
Sabre operates as a travel reservation system and plays a role in providing data for airline and hotel bookings, check-ins, and related applications used by many U.S. airlines and hotel chains.
Update - The Dunghill Leak group stated it will release the 1.3 terabyte stolen data in 8 batches as it finalizes the processing of the downloaded data.
While the initial sample was limited to Sabre staff details, the full data cache contains much more possible data:
- Databases on ticket sales in various online aggregators, their revenue data, and passenger turnover.
- Client data, including scans of clients' IDs.
- Personal information of Sabre employees, from names and insurance numbers to residential addresses, passport data, and more.
- Detailed financial information, including bank account details, balance sheets, and payroll data.
- Files associated with the airflite-client application, its source code, and logs.
Update - as of 11th of December 2024, Sabre reported that information from nearly 30,000 employees was exfiltrated during the incident. Data exposed by the incident include:
- employees' names,
- birthdates,
- Social Security numbers,
- employment details,
- financial account numbers,
- passports,
- national ID numbers,
- driver's licenses, and signatures
