Penalty Amount
$2,400,000
Consumers Affected
1,300,000
New Jersey participated in a multi-state settlement resolving an investigation into a 2017 data breach at Sabre Hospitality Solutions. Intruders accessed the company's hotel booking system from August 2016 to March 2017, compromising data from over 1.3 million consumer credit cards, including CVV numbers and expiration dates. Sabre failed to promptly notify affected consumers. The $2.4 million settlement requires Sabre to implement enhanced data security measures, develop a breach notification plan, clarify contractual responsibilities with client hotels, and undergo third-party security assessments.
Sabre must pay $2.4 million total to 27 states. The settlement includes injunctive relief requiring Sabre to implement and maintain a comprehensive information security program, meet specific security requirements, undergo a third-party security assessment, develop a written incident response and data breach notification plan, and include clear breach response roles in future client contracts. Sabre must also determine and report to Attorneys General whether its client hotels provided consumer notifications.
In-house legal teams should review vendor and customer agreements, especially those involving data processing or service provision like Sabre's hotel booking system. Focus on clauses related to data security, breach notification, indemnification, and audit rights. Specific clauses to examine include data security standards (e.g., encryption, access controls), breach notification timelines and procedures, allocation of liabilities for data breaches, requirements for third-party security assessments, and data retention and deletion policies. Changes may be needed to mandate compliance with specific frameworks like PCI DSS for payment card data, enforce prompt breach notification to consumers and clients, clarify contractual responsibilities between Sabre and client hotels regarding data handling, and include regular security audits and incident response plans.
Entity
Sabre Corp.
Also known as: Sabre
Industry
TechnologyOfficial Press Release
https://www.njoag.gov/ag-grewal-announces-njs-participation-in-2-4-million-settlement-over-sabre-hospitality-solutions-data-breach/
Sabre Settlement Agreement
https://www.nj.gov/oag/newsreleases20/Sabre-Settlement-Agreement.pdf
New Jersey Attorney General Enforcement Page
https://www.njoag.gov/about/divisions-and-offices/division-of-consumer-affairs/
"settlement with Sabre Corp."
"Sabre will pay the 27 participating states a total of $2.4 million"
"Intruders Accessed Hotel Booking Company’s Web-Based Central Reservation System; Data from over 1 Million Consumer Credit Cards Was Compromised"
"Sabre did not notify actual hospitality consumers, leaving that task to the client hotels. The client hotels subsequently provided notice to consumers, but some consumers did not receive notice until as late as 2018"
"Attorneys General representing the following states have signed-on to today’s settlement with Sabre: Vermont, Arkansas, Connecticut, Illinois, Alaska, Arizona, Florida, Hawaii, Indiana, Iowa, Louisiana, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Tennessee, Virginia, and Washington."
$100K
New Jersey Attorney General Jennifer Davenport and the Division of Consumer Affairs announced a Consent Order with King Distribution LLC and 17 related retail smoke shops, resolving allegations that the companies illegally sold flavored vapor products in violation of New Jersey’s consumer protection laws. The Consent Order imposes a $100,000 civil penalty, requires reimbursement of $22,279 in investigation costs, and prohibits the companies from selling or distributing flavored vapor products in New Jersey. The enforcement action is part of New Jersey’s ongoing efforts to protect youth from flavored vape products, which have been permanently banned in the state since January 2020.
The New Jersey Bureau of Securities issued a Cease and Desist Order on April 30, 2026, against Titan Macro Finance for operating an investment fraud scheme via WhatsApp and Instagram that defrauded at least one New Jersey investor of $64,000. The scheme involved unregistered broker-dealer activity, fake trading profits, and undisclosed fees to access investor funds. The action was coordinated with the California Department of Financial Protection and Innovation, which issued a similar order against the entity for violating California’s Commodity Code.
New Jersey Attorney General Jennifer Davenport and the Bureau of Securities issued a public warning to state residents about fraudulent investment schemes proliferating on Meta-owned platforms including Facebook, Instagram, and WhatsApp. The alert details common scam tactics such as pump-and-dump schemes, confidence scams, and fraudulent cryptocurrency offerings, and provides tips for residents to avoid victimization. No enforcement action against any entity was announced in this release.
New Jersey Attorney General Jennifer Davenport led a bipartisan coalition of 27 state attorneys general in submitting a comment letter to the Federal Trade Commission urging federal rulemaking to regulate hidden and deceptive rental housing fees. The AG also issued guidance clarifying New Jersey’s new $50 rental application fee cap, effective May 1, 2026, warning that deceptive fee practices may violate the New Jersey Consumer Fraud Act. No specific enforcement action against a named individual entity was announced, with enforcement of the fee cap set to begin May 1, 2026.
$2.0M
New Jersey Attorney General Jennifer Davenport announced a multistate settlement with NCL Bahamas, Ltd. (Norwegian Cruise Line) resolving allegations of deceptive sales practices and unfair cancellation, refund, and future cruise credit policies during the COVID-19 pandemic. The settlement requires NCL to pay $2 million to participating states, implement employee training and management approval processes for sales communications during disasters, and prohibits deceptive sales statements and prioritizing sales over consumer health and safety. NCL has already issued over $3 billion in refunds and future cruise credits to consumers nationwide related to the underlying allegations.
Ibelis Gonzalez, a 46-year-old Jersey City resident, was indicted on charges including second-degree theft by deception, second-degree impersonation/theft of identity, and third-degree false government documents. She is alleged to have used fake identification to obtain debit cards in six victims' names, stealing approximately $86,840 from their bank accounts between May and June 2024. The case is being prosecuted by the New Jersey Division of Criminal Justice, with potential maximum fines of $150,000 for second-degree charges and $15,000 for third-degree charges.