Between approximately August 10, 2016 and March 9, 2017, an attacker used a compromised administrator account in Sabre Corporation’s SynXis Hospitality Solutions central reservations system — a booking platform used by approximately 36,000 hotels worldwide. The attacker traversed the system daily for approximately 7 months, accessing payment pages and exfiltrating data. The breach affected hotels that used SynXis for direct bookings, including Four Seasons, Trump Hotels, Kimpton, Red Lion Hotels, Rosewood Hotels, Hard Rock Hotels, Loews Hotels, and thousands of others. Approximately 1.3 million credit cards were compromised. Exposed data included card numbers, expiration dates, authorization codes, plus guest names, email addresses, phone numbers, and physical addresses for some reservations. Sabre disclosed the breach in its SEC 10-Q filing in May 2017 and notified affected hotel clients. Sabre settled with state attorneys general for $2.4 million. The breach illustrated the risk of centralized reservation systems that aggregate payment data for thousands of hotels — a compromise of the platform affects all downstream hotel clients simultaneously.