As per a book published on Thursday, Booking.com’s servers were breached, and data of Middle Eastern users was stolen back in 2016 by a hacker of the US intel agency. The book further revealed that the incident was kept a secret by the infamous online travel firm.
AIVD, a Dutch intelligence service, was contacted by Booking.com to investigate the breach and later came to this conclusion. However, the organization didn’t notify the Dutch Data Protection Authority and the victims, as the legal counsel advised it. Moreover, since no financial or sensitive data was acquired, Booking.com wasn’t legally required to notify.
However, according to De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com), Booking.com’s IT experts told a completely different story. It was reported by three Dutch national newspaper NRC’s journalists and the book writers that the breach was named “PIN-leak” as the hack involved PINs stolen from various reservations.
The book further stated that thousands of hotel reservations of the Middle Eastern countries, including Qatar, Saudi Arabia, and UAE, were obtained by the hacker. The information acquired included the name and travel plans of the Booking.com customers.
Two months into the breach, Booking.com’s security department was aided by the private investigators of the US, who discovered that it was an American hacker working in an organization that was carrying out assignments from the US intel services.
Furthermore, NRC Handelsblad linked this incident to the surveillance against people of interest, including foreign diplomats by the United States. The breach occurred when the alleged hacker (reportedly named Andrews) and his companions came across an unsuccessfully secured server that let them access the PINs, which are also sought to be unique customer account identifier codes.
With these PINs, the hackers were able to steal copies of reservation details of the Middle Easterns who made them.
Earlier this year, Booking.com was charged €475,000 by the Dutch data protection authorities after the sensitive data of 4,100 people was breached and accessed by criminals illegally. In that case, the UAE hotels’ employees were socially engineered out of their account login details.
The Middle Eastern hotels haven’t been the only victims this year. Previously, a leading Thailand hotel group, Centara Hotels, and Resorts reported a data breach. This is why hotels need to take strict security measures to prevent mass data breaches, given that acquiring sensitive information has become extremely common.