Google last week began notifying an undisclosed number of employees that their names, contact information and payment card data may have been exposed as a result of a security incident.
Crucially, as the company pointed out in its notification letter [PDF] to those affected, "This did not affect Google's systems. However, this incident impacted one of the travel providers used by Googlers, Carlson Wagonlit Travel (CWT)."
But CWT itself wasn't breached either -- CWT's data was exposed in a larger breach of travel technology company Sabre's SynXis Central Reservations System (CRS), which was disclosed two months ago.
Since neither Google nor CWT were breached themselves, this wasn't a third-party breach, but a fourth-party one -- Google was working with third-party vendor CWT, which itself was leveraging Sabre's SynXis CRS. Read more.