NOTICE REGARDING SABRE HOSPITALITY DATA SECURITY INCIDENT

What Happened?
Sabre Hospitality Solutions processes reservations for 21c Museum Hotels through Sabre’s SynXis Central Reservations system. Sabre notified us on June 8, 2017, that an unauthorized party gained access to their system and guest information for certain reservations. Sabre is a leading technology provider in the travel industry, with more than 36,000 properties using its Sabre’s SynXis central reservations system.

What Information Was Involved?
The unauthorized party was able to access payment card information for certain 21c hotel reservation(s) within Sabre’s SynXis Central Reservations system including cardholder name; card number; card expiration date; and, potentially, a card security code, if this was provided in connection with the reservation. The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other reservation related information. Information such as social security, passport, or driver’s license number was not accessed. Sabre has assured us that the unauthorized access has been stopped and is no longer possible.

What We are Doing?
Sabre’s investigation determined that unauthorized access of their system first occurred August 10, 2016 and ended on March 9, 2017. Sabre has notified law enforcement and the payment card brands affected about this incident. We have contacted Sabre regarding this incident and in response Sabre has assured us that their level of investment in state of the art security technology and highly qualified personnel provides a layered security approach to enhance security to detect and prevent unauthorized access of their systems.

What You Can Do.
It is possible that your payment card company has already notified you of a potential security risk and replaced your card. If not, we recommend that you confirm the payment card used for your reservation and immediately contact the card issuer if you discover any suspicious or unusual activity on your account statements. Attached is important information regarding fraud and identify theft.

For More Information.
We have established a toll-free number for our valued guests to call Monday through Friday, 24 hours a day for more information. The toll-free number is 800-461-3025. For additional information from Sabre, you can also visit Sabre’s website at sabreconsumernotice.com.

You may also want to review our Frequently Asked Questions below.

Additional Important Information

Monitoring: You should always remain vigilant and monitor your credit report and accounts for suspicious or unusual activity. More information about identify theft can also be obtained from the Federal Trade Commission at ftc.gov.

Fraud Alerts: You can place fraud alerts with the three credit bureaus by phone and also via Experian’s or Equifax’s website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. The contact information for all three credit bureaus is below.

Credit Report: You are entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting agencies. You may obtain a free copy of your credit report by going to AnnualCreditReport.com. You may also contact any of the three major credit reporting agencies listed below to request a copy of your credit report.

Security Freeze: You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and, (5) any applicable incident report or complaint with a law enforcement agency. The request must also include a copy of a government-issued identification card. The consumer reporting agency may charge a fee to place, lift, or remove a freeze. You may obtain a security freeze by contacting any one or more of the following national consumer reporting agencies:

For residents of Iowa, Maryland, North Carolina, Oregon, and Rhode Island:
You may contact law enforcement, your Attorney General, or the FTC to report any suspected identity theft. You can obtain information from the below Offices of the Attorneys General or the Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft:

Maryland Office of the Attorney General
Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
888-743-0023
marylandattorneygeneral.gov

Oregon Department of Justice
1162 Court Street NE
Salem, OR 97301-4096
(503) 378-4400
doj.state.or.us

North Carolina Office of the Attorney General
Consumer Protection Division
9001 Mail Service Center Raleigh, NC 27699-9001
877-566-7226
ncdoj.com

Rhode Island Office of the Attorney General
150 South Main Street Providence, RI 02903
(401) 274-4400
riag.ri.gov

Federal Trade Commission Consumer Response Center
600 Pennsylvania Ave, NW
Washington, DC 20580
877-438-4338
ftc.gov

For residents of Rhode Island:
You have the right to file and obtain a police report if you are a victim of identity theft. 

For residents of New Mexico:
You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit ftc.gov. In addition, you have the right to obtain a Security Freeze or Submit a Declaration of Removal.

21c Museum Hotels: FAQs

1. What happened?

21c Museum Hotels was informed on June 8, 2017 by Sabre Hospitality Solutions (Sabre), a third-party service provider used by 21c Museum Hotels to facilitate the booking of hotel reservations, that there was an incident on their system involving unauthorized access to guest information associated with certain reservations made at some 21c properties. The incident did not affect 21c Museum Hotels’ systems. 21c Museum Hotels understands that Sabre has engaged a leading cybersecurity firm to support its investigation and has notified law enforcement and the payment card brands about this incident.

2. What information was affected by this issue?

The unauthorized party was able to access payment card information for some hotel reservations at certain 21c properties, including cardholder name, payment card number, card expiration date, and potentially card security code. In some cases, the unauthorized party also was able to access guest name, email, phone number, address, and other information. Information such as Social Security, passport, and driver’s license number was not accessed.

The investigation found that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016. The last access to this information by the unauthorized party was on March 9, 2017.

3. Which 21c Museum Hotels properties were affected?

Please see below the affected 21c Museum Hotels properties.

21c Museum Hotel Louisville
21c Museum Hotel Bentonville
21c Museum Hotel Cincinnati
21c Museum Hotel Lexington
21c Museum Hotel Durham
21c Museum Hotel Oklahoma City

4. How did 21c Museum Hotels become aware of the incident?

Sabre notified 21c Museum Hotels on June 8, 2017 that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of 21c Museum Hotels hotel reservations processed through Sabre’s central reservations system.

5. Were 21c Museum Hotels’ systems affected?

This issue did not affect 21c Museum Hotels’ systems. The issue resulted from unauthorized access to information processed on the systems of Sabre Hospitality Solutions, a third-party service provider used by 21c to facilitate the booking of hotel reservations.

6. When did the unauthorized party access payment card information?

Sabre’s investigation found that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016. The last access to this information by the unauthorized party was on March 9, 2017