A hacker working for a US intelligence agency breached the servers of Booking.com in 2016 and stole user data related to the Middle East, according to a book published on Thursday. The book also says the online travel agency opted to keep the incident secret.
Amsterdam-based Booking.com made the decision after calling in the Dutch intelligence service, known as AIVD, to investigate the data breach. On the advice of legal counsel, the company didn’t notify affected customers or the Dutch Data Protection Authority. The grounds: Booking.com wasn’t legally required to do so because no sensitive or financial information was accessed.
IT specialists working for Booking.com told a different story, according to the book De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com). The book’s authors, three journalists at the Dutch national newspaper NRC, report that the internal name for the breach was the “PIN-leak,” because the breach involved stolen PINs from reservations.
The book also said that the person behind the hack accessed thousands of hotel reservations involving Middle Eastern countries including Saudi Arabia, Qatar, and the United Arab Emirates. The data disclosed involved names of Booking.com customers and their travel plans.
Two months after the breach, US private investigators helped Booking.com’s security department determine that the hacker was an American who worked for a company that carried out assignments from US intelligence services. The authors never determined which agency was behind the intrusion.
Data related to hotels and travel has long been a highly sought-after commodity among hackers working for nation states. In 2013, an NSA whistleblower revealed “Royal Concierge,” a program by spies from Britain’s GCHQ that tracked bookings at 350 upscale hotels across the world. The spies used the data to identify the hotel where targets of interest were staying so field operatives could then plant bugs in their rooms.
In 2014, Kaspersky Labs disclosed Dark Hotel, a yearslong campaign that used hotel Wi-Fi networks to infect the devices of targeted guests with the aim of gaining access to a company’s sensitive information. The people behind Dark Hotel—likely working on behalf of a nation-state—have shown a particular interest in political officials and global C-level executives.
Booking.com didn’t respond to emails seeking comment for this post. In a book preview published Thursday, the authors of The Machine said that a Booking.com representative confirmed that there was unusual activity in 2016, that security personnel fully addressed the event immediately, and that the company never disclosed it. The representative said that Booking.com had no legal requirement to disclose the breach because there was no evidence found for “actual adverse effects on the private lives of individuals.”