Booking.com, jointly owned by the United States and the Netherlands, was illegally accessed by an American attacker in 2016 – and the company did not notify anyone when it learned of what had happened, according to explosive revelations.
The alleged disbeliever, named “Andrew”, allegedly stole “the details of thousands of hotel reservations in Middle Eastern countries,” according to a new book written by three Dutch journalists.
Their employer, Dutch headline NRC Handelsblad, reported the allegations this week, claiming that Booking.com had relied on legal advice from London law firm Hogan Lovells, saying it was under no obligation to inform anyone of the attack.
The breach allegedly occurred after “Andrew” and his associates stumbled upon an insecure server that gave them access to personal identification numbers (PINs), seemingly unique customer account identification codes. From there, the perpetrators were able to steal copies of booking details made by people living and staying in the Middle East. NRC Handelsblad linked this to US-led espionage against foreign diplomats and other people of interest in the region.
Although the accommodation booking website reportedly asked Dutch spy agency AIVD to help it resolve the breach after its internal investigation identified “Andrew” as having ties to US spy agencies , he did not inform either his affected customers or the data protection authorities in the Netherlands at the time, the newspaper alleged.
When we asked for comment on the allegations, a spokesperson for Booking.com told us: “With the support of external subject matter experts and in accordance with the framework established by Dutch data protection law (the regulation applicable before GDPR), we have confirmed that no sensitive or financial information has been viewed.
“The leadership of the day was striving to follow the principles of the DDPA, which guided companies to take additional notification measures only if there were real negative effects on the privacy of individuals, for which there was no evidence. has not been detected. “
The breach predates the EU’s General Data Protection Regulation (GDPR), which means the data protection rules that everyone is familiar with today, which makes it (most of the time) illegal to not not disclose data leaks to state authorities, did not exist at the time.
Booking.com was fined € 475,000 earlier this year by Dutch data protection authorities after the personal data of 4,100 people was unlawfully accessed by criminals. In this case, the employees of hotels in the United Arab Emirates were socially changed from their account login details for the platform.
The apparent online break-in once again raises the specter of European countries being targeted by Anglosphere intelligence agencies. The infamous Belgacom hack, revealed by Edward Snowden in 2013 and relaunched in 2018 when Belgium attributed it to the UK, was carried out by British spies trying to access data on people of interest in Africa.
Almost exactly eight years ago, Snowden also revealed the existence of a British spy program for diplomats codenamed Golden Concierge, which at first glance looks remarkably similar to the Booking.com violation reported this week.
While some readers may shrug their shoulders and mumble “spy spies”, evidence of mass data theft by third parties who may or may not be subject to lax controls that spy agencies choose to create for themselves will be. cold comfort to anyone who made a .com reservation reservation in the Middle East at the time. ®