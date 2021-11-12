



A hacker working for a U.S. intelligence agency hacked Booking.com’s servers in 2016 and stole user data linked to the Middle East, according to a book published Thursday. The book also states that the online travel agency chose to keep the incident a secret.

Amsterdam-based Booking.com made the move after bringing in the Dutch intelligence service, known as AIVD, to investigate the data breach. On the advice of legal counsel, the company did not inform the affected customers or the Dutch data protection authority. The reasons: Booking.com was not legally obliged to do so because no sensitive or financial information was consulted.

IT specialists working for Booking.com told a different story, according to the book De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com). The authors of the book, three journalists from the Dutch national newspaper NRC, report that the internal name of the breach was the PIN code leak, as the breach involved PIN codes stolen from reservations.

The book also states that the person behind the hack accessed thousands of hotel reservations involving countries in the Middle East, including Saudi Arabia, Qatar and the United Arab Emirates. The data disclosed concerned the names of Booking.com customers and their travel plans.

Two months after the breach, private U.S. investigators helped Booking.com’s security service determine that the hacker was an American who worked for a company that carried out U.S. intelligence missions. The authors never determined which agency was behind the intrusion.

Hotel and travel data has long been a much sought after commodity by hackers working for nation states. In 2013, an NSA whistleblower revealed Royal Concierge, a British GCHQ spy program that tracked bookings at 350 high-end hotels around the world. The spies used the data to identify the hotel where the targets of interest were staying so that field workers could then plant bugs in their rooms.

In 2014, Kaspersky Labs unveiled Dark Hotel, a multi-year campaign that used hotel Wi-Fi networks to infect devices of targeted customers in an attempt to access sensitive company information. The people behind Dark Hotel who are likely to work on behalf of a nation state have shown a particular interest in C-level policy makers and global executives.

Booking.com did not respond to emails requesting comment for this post. In a preview of the book published on Thursday, the authors of The Machine said that a representative from Booking.com confirmed that there had been unusual activity in 2016, that security personnel immediately took into account the event. and that the company had never disclosed. The representative said Booking.com had no legal obligation to disclose the breach as there was no evidence found of any real negative effects on individuals’ privacy.

