Dutch newspaper accuses US spy agencies of orchestrating 2016 Booking.com breach

Journalists' book claims company was targeted for Middle Eastern data

Jointly US-Dutch owned Booking.com was illegally accessed by an American attacker in 2016 – and the company failed to tell anyone when it became aware of what happened, according to explosive revelations.

The alleged miscreant, named as "Andrew", is said to have stolen "details of thousands of hotel reservations in countries in the Middle East," according to a new book written by three Dutch journalists.

Their employer, Dutch title NRC Handelsblad, reported the allegations this week, claiming that Booking.com had relied on legal advice from London-based law firm Hogan Lovells saying it wasn't obliged to inform anyone of the attack.

The breach was said to have occurred after "Andrew" and associates stumbled upon a poorly secured server which gave them access to personal ID numbers (PINs), seemingly unique customer account identifier codes. From there the miscreants were able to steal copies of reservation details made by people living and staying in the Middle East. NRC Handelsblad linked this to espionage carried out by the US against foreign diplomats and other people of interest in the region.

Although the accommodation booking website reportedly asked the Dutch AIVD spy agency for help with the breach after its internal investigation identified "Andrew" as having connections to US spy agencies, it did not notify either its affected customers or data protection authorities in the Netherlands at the time, the newspaper allged.

When we asked for comment about the allegations, a Booking.com spokesperson told us: "With the support of external subject matter experts and following the framework established by the Dutch Data Protection Act (the applicable regulation prior to GDPR), we confirmed that no sensitive or financial information was accessed.

"Leadership at the time worked to follow the principles of the DDPA, which guided companies to take further steps on notification only if there were actual adverse negative effects on the private lives of individuals, for which no evidence was detected."

The breach predated the EU's General Data Protection Regulation (GDPR), meaning data protection rules everyone's familiar with today, which (mostly) make it illegal not to disclose data leaks to state authorities, did not exist at the time.

Booking.com was fined €475,000 earlier this year by Dutch data protection authorities after 4,100 people's personal data was illegally accessed by criminals. In that case employees of hotels in the UAE were socially engineered out of their account login details for the platform.

The apparent online break-in once again raises the spectre of European countries being targeted by Anglosphere intelligence agencies. The infamous Belgacom hack, revealed by Edward Snowden in 2013 and reignited in 2018 when Belgium attributed it to the UK, was carried out by British spies trying to gain access to data on people of interest in Africa.

Almost exactly eight years ago, Snowden also revealed the existence of a British spy-on-diplomats programme codenamed Golden Concierge, which on the face of it looks remarkably similar to the Booking.com breach reported this week.

While some readers might shrug and mutter "spies spy," evidence of the theft of bulk data by third parties who may or may not be subject to whatever lax controls spy agencies choose to create for themselves will be cold comfort to anyone who made a Booking.com reservation in the Middle East at the time. ®

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021