A hacker working for a US intelligence agency breached the servers of Booking.com in 2016 and stole user data related to the Middle East, according to a book published on Thursday. The book also says the online travel agency opted to keep the incident secret.
Amsterdam-based Booking.com made the decision after calling in the Dutch intelligence service, known as AIVD, to investigate the data breach. On the advice of legal counsel, the company didn’t notify affected customers or the Dutch Data Protection Authority on the grounds that Booking.com wasn’t legally required to do so because no sensitive or financial information was accessed.
IT specialists working for Booking.com told a different story, according to the book De Machine: In de ban van Booking.com (English translation: The Machine: Under the Spell of Booking.com). The book’s authors, three journalists at the Dutch national newspaper NRC, report that the internal name for the breach was the “PIN-leak,” because the breach involved stolen PINs from reservations.
The book also said that the person behind the hack accessed thousands of hotel reservations involving Middle Eastern countries including Saudi Arabia, Qatar, and the United Arab Emirates. The data disclosed involved names of Booking.com customers and their travel plans.
Two months after the breach, US private investigators helped Booking.com’s security department determine that the hacker was an American who worked for a company that carried out assignments from US intelligence services. The authors never determined which agency was behind the intrusion.