A hacker linked to unspecified US spy agencies reportedly attacked hotel reservation site Booking.com in 2016, targeting foreign diplomats and other individuals in the Middle East. The company did not notify customers of the hack.
The alleged perpetrator, dubbed “Andrew,” stole the “details of thousands of hotel reservations” across Middle Eastern countries, according to a report published on Wednesday by Dutch newspaper NRC Handelsblad. The bombshell article was citing accusations made in a new book by its journalists.
An employee at the joint US-Dutch firm’s Amsterdam headquarters discovered the hack by accident after coming across an unauthorized access via a poorly secured server. The breach gave Andrew and their associates access to customer data, travel plans, and unique user personal ID numbers (PINs).
The hack was verified by three former security specialists and a manager at the company at the time of the breach. Enlisting US private investigators, Booking.com’s security team determined two months later that Andrew worked for a company that carried out assignments from US intelligence services. The actual agency involved in the incident was not identified.
Although Booking.com alerted the Dutch intelligence agency AIVD, it apparently did not notify users or the Dutch Data Protection Authority (AP) – later justifying this decision on the grounds that it was not legally required to do so at the time. The hack predated the implementation of the EU’s General Data Protection Regulation (GDPR), which requires data leaks to be disclosed to state authorities.
However, unnamed sources revealed that the company’s IT specialists were uncomfortable with the management’s decision – based on advice from London-based law firm Hogan Lovells – to keep the breach under wraps. Under the applicable privacy laws of the time, the company was still required to inform affected persons when the data theft “would likely have adverse effects on the private lives of individuals.”
Claiming that “no sensitive or financial information” was accessed in the leak, the company said in a statement that its “leadership at the time worked to follow the principles of the Dutch Data Protection Act.” Under that law, companies were advised to issue a notification “only if there were actual adverse negative effects on the private lives of individuals, for which no evidence was detected.”
The report comes almost exactly eight years after NSA whistleblower Edward Snowden revealed the existence of a special program called ‘Royal Concierge’ run by British spy agency GCHQ that conducted surveillance on more than 350 hotels hosting foreign diplomats and officials.
While the Snowden documents did not identify any specific reservation websites, a former Booking.com security specialist told the Dutch paper that it would be “crazy if [it] weren’t on that list.”
If you like this story, share it with a friend!