The personal details of a small number of Google staffers have been exposed, according to a notification letter Google has started sending to affected employees.
The breach didn't take place because of Google's lack of security measures, but occurred off-site, via a travel and hotel reservations platform.
Carlson Wagonlit Travel (CWT), one of the companies Google uses to make hotel arrangements for its employees for work-related travels, has informed the tech giant of the breach.
However, the actual breach didn't take place at CWT either, but Sabre Hospitality Solutions, a company that develops SynXis Central Reservation System, a platform used by tens of thousands of hotels across the globe to allow travel agencies like CWT to make hotel reservations.
It was infosec reporter Brian Krebs who spotted the breach in Sabre's SEC filings at the start of May. As Sabre notified travel agencies of the SynXis breach, the agencies then notified their own customers, with CWT alerting Google of the incident.
According to the letter, Google is sending employees, the hacker who breached Sabre's systems was able to collect data such as contact details and payment card. The hacker had access to the Sabre systems between August 10, 2016, and March 9, 2017.
Because the Sabre systems delete reservation details after 60 days, Google wasn't able to determine what data the hacker accessed for each employee during that interval.
Google has offered to provide two years of free identity protection and credit monitoring services for all affected employees.
The incident is considered a small breach for Google, but anyone who traveled during the above interval should check with their travel agency and see if the Sabre breach might have exposed their personal or payment card details.
At the time of writing, Google is one of the few tech giants that hasn't suffered a major data breach, like the ones that affected Adobe, Yahoo, Linked, and others.
Nonetheless, this is not the first time that data of Google employees has been exposed via a third-party contractor. In May 2016, Google also notified some employees after one of the managers of a third-party benefits vendor sent a file containing sensitive information about Google employees to the wrong person. Only names and Social Security numbers (SSNs) were exposed in that incident.