Booking.com requested help from the Dutch intelligence service, AIVD, in its investigation into the extensive data breach, but did not notify the affected customers or the Dutch Data Protection Authority (AP). The management claims it was not legally required to do so at the time, based on advice it received from the law firm Hogan Lovells. The AP declined to comment.
IT-specialists from Booking were uncomfortable with the management’s decision to remain silent about the data breach, according to sources involved. Experts are also critical of the decision. Under privacy laws applicable at the time, a company was required to notify affected persons of data theft when the breach in question „would likely have adverse effects on the private lives of individuals.”
According to Gerrit-Jan Zwenne, Professor of Law and Digital Technologies at Leiden University, Booking could not assume that those involved would be unaffected by the espionage. „This kind of stolen information can be used to place people on no-fly lists, ban them from entering particular countries or to wiretap them”, he says. Frederik Zuiderveen Borgesius, Professor of Information Communication Technology and Private Law at Radboud University, adds that reporting the breach would have been „more prudent.” Borgesius: „It is no shame to report that intelligence services have breached your servers. They have so many experts and resources - if they really want to hack into your system, they’ll always be successful in the end.”
This American act of espionage is described in the book ‘De Machine’ (The Machine), published Thursday. In it, three journalists at the Dutch national newspaper NRC investigate the rise, the prime and the recent (COVID-19) crisis at the American-Dutch hotel reservations website. The company celebrates its 25th anniversary this year and is the largest reservation platform in the world, with 28 million affiliated accommodations.Read the full story about the hunt for ‘Andrew’, the hacker that accessed Bookings systems (in Dutch)
Detected by accident
Booking.com detected the espionage in early 2016 by accident. An employee of the security department at the company’s headquarters in Amsterdam discovered an unknown individual had gained access to the Booking’s systems through a poorly secured server. The hacker accessed thousands of hotel reservations in the Middle-East (including Saudi Arabia, Qatar and the United Arab Emirates). The breach involved names of Booking customers and their travel plans.
The incident, internally referred to as the ‘PIN-leak’, due to the stolen PINs from reservations, was independently confirmed by three former security specialists at Booking and a member of the management at the time of the breach.
With the assistance of American private investigators, Booking.com’s security department was able to identify the hacker after two months—an American (‘Andrew’) who worked for a company that carried out assignments from American intelligence services. The specific intelligence organization—of which the United States has 18—is unknown.
In 2013, information leaked that the Americans spied on hotel websites in order to monitor travel movements of foreign diplomats and to place wiretapping equipment inside hotel rooms. Whistleblower Edward Snowden then revealed that the British intelligence, security and cyber agency GCHQ had set up a special program for this called ‘Royal Concierge’. In the Snowden documents, there were no specific names of reservation websites, but a former employee of Booking’s security department said that it would be „crazy if Booking.com weren’t on that list.”
The spokesperson for Booking.com confirmed that in 2016 „unusual activity” was detected. „Our security team fully addressed the issue and immediately launched a forensic investigation.” Because there was „no evidence” found for “actual adverse effects on the private lives of individuals,” Booking did not report the data breach, according to the spokesperson.
As far as is known there has not been a comparable espionage incident after 2016. However, ‘ordinary’ cyber criminals did manage to penetrate Booking servers. Earlier this year, the Dutch AP fined Booking 475,000 euro for notifying the authority too late that criminals had stolen personal and credit card details of 4,000 customers.