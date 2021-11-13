A hacker who works for a US intelligence agency has hacked the servers of the hotel reservation service Booking.com in 2016, subtracting data from users residing in the Middle East. This is what we learn from the publication of the book “De Machine: In de ban van Booking.com” where it is also told that Booking.com has chosen to not to publicly disclose what happened.

The book was written by three journalists of the Dutch national newspaper NRC, who point out that the name used internally by Booking.com to indicate the violation was “PIN-leak” because it concerned the stealing of the reservation PINs. From the story of the three journalists, it emerges that the hacker had access to hotel reservations for Middle Eastern countries such as Saudi Arabia, Qatar and the United Arab Emirates. And among the data that the figure had access to would be the names of Booking.com customers and their travel plans.

Two months after the incident, a team of US private investigators collaborated with the security department of Booking.com and managed to discover that the hacker was an American in the pay of a company that worked for a US intelligence agency. which has never been identified.

Booking.com, which is based in Amsterdam, made the decision not to disclose the incident after contacting the Dutch intelligence service, AVID, to initiate an investigation into the systems breach. It was a legal advisor who advised Booking.com not to disclose the incident to affected customers and to the Dutch data protection authority: since there would be no access to sensitive or financial information the company was not required to comply with any communication obligation.

Booking.com has not yet released an official position on the subject. The authors of the book stated that a representative of the company confirmed the occurrence of “unusual activities” in 2016 which were immediately addressed by the security team and that no public disclosure was given as the company was not obligated to do so as they were not identified evidence of “actual negative consequences on people’s privacy”.

Data concerning travel plans and hotel reservations are a glutton for hackers working for dwarven governments. For example, he notes the “Royal Concierge” operation revealed in 2013 by an informant from the NSA and which featured spies from the British GCHQ in tracking the reservations of over 350 luxury hotels around the world. The data collected with this operation was used to identify the hotel facilities in which targets of interest were staying, so that on-site operational agents could displace bedbugs in their rooms.

In the same vein, the Dark Hotel operation, revealed in 2014 by Kaspersky Labs. This was a campaign that had been running for several years, which exploited hotel WiFi networks to compromise target-specific devices in order to gain access to sensitive information in the context of spying. The operation specifically targeted political officials and executives at a global level and was most likely carried out by hackers in the pay of a government.