RTFri, 12 Nov 2021 11:15 UTC
© Getty Images / gorodenkoff
A hacker linked to unspecified US spy agencies reportedly attacked hotel reservation site Booking.com
in 2016, targeting foreign diplomats and other individuals in the Middle East. The company did not notify customers of the hack.
The alleged perpetrator, dubbed
"Andrew," stole the "details of thousands of hotel reservations" across Middle Eastern countries, according to a report published on Wednesday by Dutch newspaper NRC Handelsblad. The bombshell article was citing accusations made in a new book by its journalists.
An employee at the joint US-Dutch firm's Amsterdam headquarters discovered the hack by accident after coming across an unauthorized access via a poorly secured server. The breach gave Andrew and their associates access to customer data, travel plans, and unique user personal ID numbers (PINs).
The hack was verified by three former security specialists and a manager at the company at the time of the breach. Enlisting US private investigators, Booking.com's security team determined two months later that
Andrew worked for a company that carried out assignments from US intelligence services. The actual agency involved in the incident was not identified.
Although
Booking.com alerted the Dutch intelligence agency AIVD, it apparently did not notify users or the Dutch Data Protection Authority (AP) - later justifying this decision on the grounds that it was not legally required to do so at the time. The hack predated the implementation of the EU's General Data Protection Regulation (GDPR), which requires data leaks to be disclosed to state authorities.
However, unnamed sources revealed that the company's IT specialists were uncomfortable with the management's decision - based on
advice from London-based law firm Hogan Lovells - to keep the breach under wraps. Under the applicable privacy laws of the time, the company was still required to inform affected persons when the data theft "would likely have adverse effects on the private lives of individuals."
Claiming that "no sensitive or financial information" was accessed in the leak, the company said in a statement that its "leadership at the time worked to follow the principles of the Dutch Data Protection Act." Under that law, companies were advised to issue a notification "only if there were actual adverse negative effects on the private lives of individuals, for which no evidence was detected."
The report
comes almost exactly eight years after NSA whistleblower Edward Snowden revealed the existence of a special program called 'Royal Concierge' run by British spy agency GCHQ that conducted surveillance on more than 350 hotels hosting foreign diplomats and officials.
While the Snowden documents did not identify any specific reservation websites, a former Booking.com security specialist told the Dutch paper that it would be "crazy if [it] weren't on that list."
Comment: This comes on the heels of another exposé that Pegasus
spyware created by Israeli firm NSO Group was used by governments and other actors to spy on "journalists, human rights activists, dissidents, and even
heads of state".
Clearly there's benefit to be had in having particular information on those in positions of influence. Which begs the question: just what are these agencies doing with the information they harvest?
The revelation that US intel would be involved in such shenanigans is also notable considering the recent, and increasing, ransomware attacks on US businesses and infrastructure, and that Kaspersky founder claimed would most likely track back to the CIA
noting their ability to cover their hacks with the footprints of other groups:
Major agriculture group New Cooperative hit by ransomware attack, 40% of grain supply chain under serious threat
Comment: This comes on the heels of another exposé that Pegasus spyware created by Israeli firm NSO Group was used by governments and other actors to spy on "journalists, human rights activists, dissidents, and even heads of state".
Clearly there's benefit to be had in having particular information on those in positions of influence. Which begs the question: just what are these agencies doing with the information they harvest?
The revelation that US intel would be involved in such shenanigans is also notable considering the recent, and increasing, ransomware attacks on US businesses and infrastructure, and that Kaspersky founder claimed would most likely track back to the CIA noting their ability to cover their hacks with the footprints of other groups: Major agriculture group New Cooperative hit by ransomware attack, 40% of grain supply chain under serious threat