A hacker working for a US intelligence agency hacked Booking.com's servers in 2016 and stole user data from the Middle East, according to a book published on Thursday. The book also says the online travel agency chose to keep the incident a secret.
Amsterdam-based Booking.com made the decision after calling on the Dutch intelligence service, also known as the AIVD, to investigate the breach of the company's servers. Following legal advice, the company did not notify the affected customers or the Dutch Data Protection Authority.
The reason; Booking.com was not legally required to do so because no sensitive or financial information was accessed.
But IT people working at Booking.com told a different story, according to the book De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com). The book's authors, three journalists from the Dutch newspaper NRC, say the inside name for the breach was “leakage PIN” because the breach involved stolen PINs from reservations.
The book also states that the person behind the hack had access to thousands of hotel reservations in Middle Eastern countries, such as Saudi Arabia, Qatar and the United Arab Emirates. The leaked data concerned Booking.com customer names and their travel plans.
Two months after the breach, U.S. private investigators helped Booking.com security determine that the hacker was an American working for a company that was contracting for US intelligence services. The authors did not specify which service was behind the invasion.
The data concerning hotel reservations and plans for taxidia is a highly sought after product for hackers working for a state. In 2013, an informant of her NSA unveiled the "Royal Concierge", a British spy program GCHQ which tracked reservations at 350 luxury hotels worldwide. The secret services χρησιμοποιούν αυτά τα δεδομένα για να αναγνωρίσουν το ξενοδοχείο διαμονής των στόχων, ώστε να μπορούν να τοποθετήσουν κοριούς στα δωeyeand them.
2014, the Kaspersky Labs revealed it Dark Hotel, a campaign that used hotel Wi-Fi networks to infect the devices of targeted visitors in order to gain access to sensitive information. The hackers behind the Dark Hotel - which probably worked for a government - showed particular interest in C-level politicians and executives.
The authors of The Machine reported that a Booking.com spokesperson confirmed that there was unusual activity in 2016, and that security personnel responded immediately to the incident. He also admitted that the company never revealed it because it had no legal obligation to do so.