In March 2016, a hacker with close ties to US intelligence broke into the systems of hotel website Booking.com. That writes the NRC. The US spy has stolen details of thousands of reservations at hotels in countries in the Middle East. Affected customers and the Dutch Data Protection Authority were not informed.
Booking.com has often had to deal with cybercriminals who prey on the vast amount of customer data that the hotel website collects on a daily basis. Booking’s servers contain data from millions of customers such as name, email address, telephone number and information about credit cards. The hotel’s security team is concerned with protecting customer and credit card information and defusing phishing emails.
When hackers get hold of credit card information, they can steal a lot of money from people. They can misuse someone’s name or contact details and target unsuspecting victims through phishing.
Booking.com has always suspected that intelligence agencies were interested in their website’s customer data. However, they had never caught a spy before. At the beginning of 2016, a Booking security officer encountered suspicious activities when checking an old server. The server had not been cleaned and an unknown hacker used the server to secretly request information about thousands of hotel bookings via unique codes associated with specific reservations.
This data is worth a lot of money on the dark web, where stolen personal data is traded.
This burglary is described in detail in a book that will soon be published about the 25-year history of Booking. Three former employees of the security team and a manager confirm the cyber espionage.
The hacker has not only looked around the Booking server from his office, but also from his home address. The WiFi router he used was found in one of his own databases. The router turned out to belong to an Android phone that had been used to book an overnight stay via the Booking app. Booking.com was, therefore, able to unmask the spy through a booking that the hacker had made himself. It turns out to be the American Andrew who works for a security company that would carry out assignments for an American intelligence service.
The Booking employees also found out that the spy was looking for bookings in specific locations in the Middle East including Saudi Arabia, Qatar and the United Arab Emirates.
It is not clear for what purpose the hacker obtained the data or whether he broke into Booking.com’s systems on his own initiative.
Data theft not reported
Booking would have asked the General Intelligence and Security Service (AIVD) for help in the investigation into the data theft. The affected customers were really not informed. The Dutch Data Protection Authority was also not informed about the data theft.
Reporting the data theft was not legally required, according to the Booking top. However, former security specialists at Booking believe that the hotel website should have been open about the data theft.
In December 2018, the hotel website also had to deal with a data breach. Hackers then got their hands on data from more than 4,000 people. The perpetrators also got away with the credit card details of almost 300 people. Booking.com only reported the data breach to the regulator after three weeks. In March 2021, the hotel website was fined €475,000 for this by the Dutch Data Protection Authority.
As soon as unusual activity was discovered in 2016, our security team immediately launched a forensic investigation. With the help of external experts and within the framework of the Dutch Personal Data Protection Act (the applicable regulations prior to GDPR), it has been determined that there has been no access to sensitive or financial information. The board at the time acted in accordance with the principles of the Dutch Data Protection Authority, which advised companies to only take further steps regarding informing data subjects if there were actually adverse negative consequences for the private life of individuals. No evidence for this was found.
Catch up on more articles here
Follow us on Twitter here