Attorney General Curtis Hill and 26 other attorneys general have agreed to a settlement with Sabre Inc. that resolves an investigation into a 2017 data breach of Sabre Hospitality Solutions’ hotel-booking system. The breach exposed the data of approximately 1.3 million credit cards, including some belonging to Indiana residents.

The settlement requires Sabre to pay $2.4 million, which will be distributed to Indiana and the 26 other states. Indiana will receive $61,603.98 and injunctive relief.

Additionally, the settlement requires Sabre:

to include language in future contracts that specifies the roles and responsibilities of both parties in the event of a data breach;
to try to determine in the event of a data breach whether its customers have provided notice to consumers, and to provide the attorneys general a list of all customers it has notified;
to implement and maintain a comprehensive information security program;
to implement a written incident response and data breach notification plan;
to implement specific security requirements; and
to undergo a third-party security assessment.

Sabre Hospitality Solutions, a business segment of Sabre, operates the SynXis Central Reservation System, which facilitates the booking of hotel reservations. SynXis connects business travel coordinators, travel agencies and online travel-booking companies to Sabre’s hotel customers. On June 6, 2017, Sabre informed its hotel customers of a data breach that occurred between August 2016 and March 2017, which the business had disclosed in a U.S. Securities and Exchange Commission filing the month before. Notice to consumers was provided by the hotels, resulting in some notices being issued as late as 2018, and some consumers receiving multiple notices stemming from the same breach.