The details of Google employees have been left exposed by an agency that looks after the search engine giant’s travel bookings, it has emerged.
Google notified its employees and the state of California about the breach, adding that names, contact details and card data used to make hotel bookings may have been accessed by attackers.
In a letter sent to employees, it said the incident impacted one of the travel providers used by Googlers, Carlson Wagonlit Travel (CWT).
“CWT has confirmed that one or more of your hotel reservations and the name, contact information, and payment card information associated with the reservation(s) may have been compromised,” the letter said.
It added that a company named Sabre Hospitality Solutions operates the SynXis Central Reservations system (CRS), which facilitates the booking of hotel reservations made by individuals and companies, such as Google, through travel agencies.
“Sabre discovered unauthorised access to an internal account in the SynXis CRS. Following an investigation, Sabre notified CWT, which uses the SynXis CRS, that an unauthorised party gained access to personal information associated with certain hotel reservations made through CWT. CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travellers were affected,” said the letter.
It added that Sabre’s investigation discovered no evidence that information such as Social Security, passport and driver’s license numbers were accessed.
“However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation,” said Google.
Google added that it was working with CWT and Sabre to address this issue. Sabre engaged a leading cyber-security firm to support its investigation. Sabre indicated that they also notified law enforcement and the payment card brands about this incident, according to Google.
Google will now offer its employees 24 months of identity protection and credit monitoring services. It urged employees to review account statements for incidents of fraud and identity theft.
This article originally appeared at scmagazineuk.com