[German]In 2016, the hotel reservation platform booking.com, which is also quite popular in Germany, suffered a data protection breach caused by a hack, for which the platform was not responsible (access data of hotel employees was stolen). Because the incident was reported too late, the Dutch data protection regulator imposed a fine. Now it turns out that the hack at Booking.com was probably carried out by an employee of the US Secret Service. They wanted to get the booking data of hotels in Arab countries.
Advertising
Booking.com is quite popular when it comes to booking accommodation quickly. I myself use it occasionally, most recently four weeks ago when I needed accommodation quickly in a near by town in Germany. Via Booking.com, I quickly had a suitable accommodation that was free and offered all the features that were important to me. Later, I booked the accommodation two more times directly with the landlord for subsequent weekends.
The data protection incident from 2016
From that point of view, Booking.com is already very helpful, but it also has downsides. At the beginning of 2016, the Netherlands-based hotel booking service provider Booking.com became a victim of a hack. Booking.com discovered the intrusion by accident in early 2016. An employee of the security department at the company's headquarters in Amsterdam noticed that an unknown person had gained access to Booking.com's systems via a poorly secured server. The attacker had managed to use social engineering techniques to elicit login credentials for their Booking.com accounts from employees at 40 hotels in the United Arab Emirates (UAE).
The hacker accessed thousands of hotel reservations in the Middle East (including Saudi Arabia, Qatar, and the United Arab Emirates). The hack retrieved names of Booking customers and their travel plans. The captured data also included names, addresses, phone numbers and details of users' bookings – and credit card data was accessed.
Because the service provider did not report this data protection incident in a timely manner, The Netherlands Data Protection Authority issued a fine of 475,000 euros against Booking.com. This became known in April 2021 (see my German post Booking.com: 475.000 Euro Strafe für verzögerte Meldung eines Hacks). The reason was that the company informed too late that third parties had accessed the data of 4,109 people who had booked a hotel room via the provider's website.
Hack by US intelligence operatives
Dutch medium NRC reports in this article about details now revealed by a book publication. The hacker who penetrated the servers of the hotel website Booking.com in early 2016 was noticed only by accident. The person had managed to retrieve thousands of hotel reservations in Middle Eastern countries.
Advertising
After two months of research, four Booking.com IT specialists determined that the hacker was a U.S. citizen with close ties to American intelligence agencies. Booking.com's management did ask the Dutch intelligence agency AIVD for help in investigating the cyberattack. However, management did not notify affected customers or the Dutch Data Protection Authority (AP). The reasoning was that they were not legally required to do so at the time, citing advice from law firm Hogan Lovells.
There was disagreement among Booking's IT specialists regarding this decision, as the implications for those affected by the hack could be quite problematic. According to Gerrit-Jan Zwenne, professor of law and digital technologies at Leiden University, the stolen information can be used to put people on no-fly lists, ban them from entering certain countries or wiretap them. The fine mentioned above was the result of this policy by Booking.com management.
This American act of espionage is described in the book "De Machine" (The Machine), published last Thursday. In it, three journalists from the Dutch daily NRC examine the rise, heyday and recent (COVID-19) crisis of the American-Dutch hotel reservation website Booking.com. The company is celebrating its 25th anniversary this year and is the largest reservation platform in the world, with 28 million connected accommodations.
