A hacker working for a US intelligence agency broke through Booking.com’s servers in 2016 and stole user data related to the Middle East, according to a book published on Thursday. The book also says that the online travel agent chose to keep the incident a secret.
Amsterdam-based Booking.com made the decision after hiring the Dutch intelligence agency AIVD to investigate the data breach. On the advice of a legal advisor, the company neither informed affected customers nor the Dutch data protection authority. The reason: Booking.com was not legally obliged to do so, as no sensitive or financial information was accessed.
IT specialists from Booking.com told a different story, according to the book De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com). The book’s authors, three journalists from the Dutch national newspaper NRC, report that the internal name for the violation was “PIN-Leak”, as the violation concerned PINs stolen from reservations.
The book also states that the person behind the hack accessed thousands of hotel reservations in Middle Eastern countries such as Saudi Arabia, Qatar and the United Arab Emirates. The data disclosed was the names of Booking.com customers and their travel plans.
Two months after the attack, US private investigators helped Booking.com’s security department discover that the hacker was an American who worked for a company that carried out US intelligence agencies. The authors never found out which agency was behind the intrusion.
Hotel and travel data has long been a coveted asset among hackers working for nation states. In 2013, an NSA whistleblower unveiled “Royal Concierge,” a UK GCHQ spy program that tracked bookings at 350 upscale hotels around the world. The spies used the data to identify the hotel where the targets of interest were staying so that field workers could place bugs in their rooms.
In 2014, Kaspersky Labs unveiled Dark Hotel, a year-long campaign that used hotel Wi-Fi networks to infect the devices of targeted guests in order to gain access to a company’s sensitive information. The folks behind Dark Hotel – who likely work on behalf of a nation-state – have shown a particular interest in political officials and C-level global leaders.
Booking.com did not respond to emails asking for comments on this post. In a book preview published Thursday, The Machine writers said that a Booking.com representative confirmed there had been unusual activity in 2016, that security guards immediately handled the incident in full, and that the company never disclosed it. The representative said Booking.com had no legal obligation to disclose the breach as it found no evidence of “actual adverse effects on the privacy of individuals”.