A hacker working for a US intelligence agency breached the servers of Booking.com in 2016 and stole user data related to the Middle East, according to a book published on Thursday. The book also says the online travel agency opted to keep the incident secret.
Amsterdam-based Booking.com made the decision after calling in the Dutch intelligence service, known as AIVD, to investigate the data breach. On the advice of legal counsel, the company didn’t notify affected customers or the Dutch Data Protection Authority. The grounds: Booking.com wasn’t legally required to do so because no sensitive or financial information was accessed.
IT specialists working for Booking.com told a different story, according to the book De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com). The book’s authors, three journalists at the Dutch national newspaper NRC, report that the internal name for the breach was the “PIN-leak,” because the breach involved stolen PINs from reservations.
The book also said that the person behind the hack accessed thousands of hotel reservations involving Middle Eastern countries including Saudi Arabia, Qatar, and the United Arab Emirates. The data disclosed involved names of Booking.com customers and their travel plans.
Two months after the breach, US private investigators helped Booking.com’s security department determine that the hacker was an American who worked for a company that carried out assignments from US intelligence services. The authors never determined which agency was behind the intrusion.
Data related to hotels and travel has long been a highly sought-after commodity among hackers working for nation states. In 2013, an NSA whistleblower revealed “Royal Concierge,” a program by spies from Britain’s GCHQ that tracked bookings at 350 upscale hotels across the world. The spies used the data to identify the hotel where targets of interest were staying so field operatives could then plant bugs in their rooms.
In 2014, Kaspersky Labs disclosed Dark Hotel, a yearslong campaign that used hotel Wi-Fi networks to infect the devices of targeted guests with the aim of gaining access to a company’s sensitive information. The people behind Dark Hotel—likely working on behalf of a nation-state—have shown a particular interest in political officials and global C-level executives.
For its part, Booking.com said it had no legal requirement to disclose the breach. In a statement, company officials wrote:
With the support of external subject matter experts and following the framework established by the Dutch Data Protection Act (the applicable regulation prior to GDPR), we confirmed that no sensitive or financial information was accessed. Leadership at the time worked to follow the principles of the DDPA, which guided companies to take further steps on notification only if there were actual adverse negative effects on the private lives of individuals, for which no evidence was detected.
Post updated to add comment from Booking.com.