The details of Google employees have been left exposed by an agency that looks after the search engine giant's travel bookings, it has emerged.
Google notified its employees and the state of California about the breach, adding that names, contact details and card data used to make hotel bookings may have been accessed by attackers.
In a letter sent to employees, it said the incident impacted one of the travel providers used by Googlers, Carlson Wagonlit Travel (CWT).
“CWT has confirmed that one or more of your hotel reservations and the name, contact information, and payment card information associated with the reservation(s) may have been compromised,” the letter said.
It added that a company named Sabre Hospitality Solutions operates the SynXis Central Reservations system (CRS), which facilitates the booking of hotel reservations made by individuals and companies, such as Google, through travel agencies.
“Sabre discovered unauthorized access to an internal account in the SynXis CRS. Following an investigation, Sabre notified CWT, which uses the SynXis CRS, that an unauthorized party gained access to personal information associated with certain hotel reservations made through CWT. CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travelers were affected,” said the letter.
It added that Sabre's investigation discovered no evidence that information such as Social Security, passport and driver's license numbers were accessed.
“However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation,” said Google.
Sabre acknowledged the data breach in a quarterly report last May.
Google added that it was working with CWT and Sabre to address this issue. Sabre engaged a leading cyber-security firm to support its investigation. Sabre indicated that they also notified law enforcement and the payment card brands about this incident, according to Google.
Google will now offer its employees 24 months of identity protection and credit monitoring services. It urged employees to review account statements for incidents of fraud and identity theft.
High-Tech Bridge's CEO, Ilia Kolochenko, told SC Media UK that companies can demand third-parties provide a credible assurance of their internal cyber-security and data protection.
“ISO 27001 can be a good example for midsize and large companies, as well as Cyber Essentials for SMEs,” he said.
He added that data breaches caused by third-party providers will occur more frequently.
“Cyber-criminals are carefully calculating their costs and always select the weakest link to attack. In the interconnected world, confidential information can be found virtually everywhere, opening plenty of new opportunities for the attackers,” said Kolochenko.
Craig Parkin, associate partner at Citihub Consulting, said California data breach notification rules require notification of any breach concerning 500 or more California residents. ”We can assume at least 500 employees in California are affected by this, but it's possible there are many more globally,” he added.
“Organisations have to ensure they partner with third parties who treat their employees' data as securely as they would, not just how it is kept and transferred but how it is processed. Assessments and review is key and a thorough review of a third party's controls and data handling procedures should be carried out,” said Parkin.