Travel booking giant Sabre said it was investigating claims of a cyberattack after a tranche of files purportedly stolen from the company appeared on an extortion group’s leak site.
“Sabre is aware of the claims of a data exfiltration made by the threat group and we are currently investigating to determine their validity,” Sabre spokesperson Heidi Castle said in an email.
The Dunghill Leak group claimed responsibility for the apparent cyberattack in a listing on its dark web leak site, alleging it took about 1.3 terabytes of data, including databases on ticket sales and passenger turnover, employees’ personal data, and corporate financial information.
The group posted a portion of the files they allegedly stole, claiming the full cache will be made “available soon.”
Sabre is a travel reservation system and major provider of air passenger and booking data, whose software and data is used to power airline and hotel bookings, check-ins, and apps. Many U.S. airlines and hotel chains rely on the company’s technology.
Screenshots seen by TechCrunch show several database names relating to booking details and billing containing tens of millions of records, though it’s not known if the hackers had access to the databases themselves.
Some of the screenshots seen contained records pertaining to employees, including email addresses and their work locations. One screenshot contained employee names, nationalities, passport numbers, and visa numbers. Several other screenshots show several U.S. I-9 forms of employees who are authorized to work in the United States. Several passports found in the cache corresponded with Sabre employees, including a Sabre vice president, according to their LinkedIn profiles.
It is not known when the alleged breach took place, but the screenshots posted by the extortion group show data that appears to be as recent as July 2022.
Little is known about Dunghill Leak, except that it is a relatively new ransomware and extortion group that evolved or rebranded from the Dark Angels ransomware, which came from the Babuk ransomware, according to security researchers at Malwarebytes. To date, Dunghill Leak has claimed credit for targeting coin-operated game maker Incredible Technologies, food giant Sysco, and automotive products maker Gentex.
It’s not uncommon for ransomware and extortion groups to forgo file encryption altogether, instead focusing on threatening to publish sensitive data if a ransom is not paid. The FBI and international law enforcement have long encouraged ransomware and extortion victims not to pay the ransom.
Sabre last reported a security incident in 2017, after hackers scraped a million credit cards from its hotel reservation system. The company paid $2.4 million to settle allegations brought by several states following the breach.