Ransomware Group Takes Responsibility for Sabre Data Breach
Travel booking giant Sabre is currently looking into allegations of a cyberattack after a collection of files, purportedly taken from the company, surfaced on a leak site associated with an extortion group.
Heidi Castle, a spokesperson for Sabre, stated via email, "Sabre is aware of the claims of a data exfiltration made by the threat group, and we are currently investigating to determine their validity."
The group claiming responsibility for this apparent cyberattack is known as the Dunghill Leak group. They announced their involvement on a dark web leak site, asserting that they had acquired approximately 1.3 terabytes of data. This haul reportedly includes databases containing information on ticket sales, passenger turnover, employee personal data, and corporate financial records.
The Dunghill Leak group has also posted a portion of the files they claim to have stolen, with a promise to release the full cache "soon."
Sabre operates as a travel reservation system and a significant provider of air passenger and booking data. Their software and data support essential functions in airline and hotel bookings, check-ins, and related applications. Many major U.S. airlines and hotel chains rely on Sabre's technology.
Among the screenshots were records related to employees, including email addresses and workplace locations. One screenshot contained employee names, nationalities, passport numbers, and visa details. Additionally, several U.S. I-9 forms of employees authorized to work in the United States were visible. Some of the passports found in the cache were associated with Sabre employees, including a Sabre vice president, as corroborated by their LinkedIn profiles.
The precise timeline of the alleged breach is unknown, but the screenshots posted by the extortion group suggest that the data may be as recent as July 2022.
Not much is known about Dunghill Leak, except that it is a relatively new ransomware and extortion group believed to have evolved or rebranded from the Dark Angels ransomware, itself a descendant of the Babuk ransomware, according to security researchers at Malwarebytes. Dunghill Leak has previously claimed responsibility for targeting Incredible Technologies (a coin-operated game maker), Sysco (a food giant), and Gentex (an automotive products manufacturer).
It's worth noting that ransomware and extortion groups often forego file encryption and instead focus on the threat of publishing sensitive data unless a ransom is paid. The FBI and international law enforcement agencies have consistently discouraged victims from paying such ransoms.
Sabre's last reported security incident occurred in 2017 when hackers scraped one million credit cards from its hotel reservation system. In the aftermath, the company paid $2.4 million to settle allegations from several states stemming from the breach.