Booking.com was breached by a hacker with links to US intelligence services

Booking.com was breached by a hacker with links to US intelligence services

Image:
Booking.com was breached by a hacker with links to US intelligence services

But the company did not disclose the incident to customers

The world's largest hotel booking site Booking.com was breached in 2016 by an American hacker with links to the US intelligence services. The company, however, did not disclose the incident to its customers and kept it as a complete secret.

The explosive revelation comes in a new book written by three Dutch journalists working for the Dutch newspaper NRC Handelsblad.

The paper this week reported that after detecting a security breach in 2016, the Netherlands-based company, which provides accommodation and flights, asked Dutch intelligence service AIVD for help in investigating the incident, although it did not inform the Dutch Data Protection Authority (AP) and its customers about the intrusion.

A spokesperson for Booking.com told the newspaper that in 2016, an "unusual activity" was detected.

"Our security team fully addressed the issue and immediately launched a forensic investigation," the spokesperson added.

Because no evidence was found for "actual adverse effects on the private lives of individuals," the company did not report the data breach, the spokesperson noted.

Booking.com told the newspaper that it had relied on legal advice from London-based law firm Hogan Lovells on this matter.

The privacy law that applied in The Netherlands in 2016 stated that those involved in a data breach have to be notified if it "likely had adverse consequences" for them.

According to the authors of the book De Machine: In de ban van Booking.com, the breach was internally called "PIN-leak" because it involved stolen PINs from reservation systems.

The book says the alleged miscreant - named as "Andrew" - ​stole details of thousands of hotel reservations in the Middle Eastern countries including Qatar, Saudi Arabia and the United Arab Emirates. The data accessed by the hacker included the names of customers and their travel itineraries.

Nearly two months after the breach, US private investigators helped Booking.com's security staff to determine that the hacker was an American who worked for a firm that carried out assignments from US intelligence services.

The authors of the book could not determine which agency was behind the intrusion.

Data related to travel and hotel booking has long been a highly sought-after commodity among cybercriminals as well as hackers working for nation states.

In 2018, Hotel chain Marriott reported a breach by the Magecart gang, in which the names, addresses, passport numbers and contact details of up to 300 million customers were stolen from Starwood Hotels reservation system. For the breach, Marriott was found to be at fault because of its lax security procedures.

In April, Booking.com was fined €475,000 by Dutch data protection authorities for late reporting of a separate data breach under GDPR.

In that breach, more than 4,000 Booking.com customers had their names, addresses, phone numbers and booking details accessed by cyber criminals. Another 300 people also had credit card information stolen, including the CVV code in almost 100 cases.