Who is ‘Andrew’—the US Spy who Hacked Booking.com?
Huge hotel reservations site Booking.com was breached.com. And the perp was the NSA, or one of the other U.S. intelligence agencies.
So says a new book about the 2016 hack—described as “explosive revelations” by some, and “not much to see here” by others. Wait, what?
Let’s unpick the story. In today’s SB Blogwatch, we get someone else to make our bed before we lie in it.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 1907 dancing pig film.
I Can Tell by Some of the Pixels
What’s the craic? Merijn Rengers, Stijn Bronzwaer en ook Joris Kooiman report—“American spy hacked Booking.com”:
“Wiretapping equipment inside hotel rooms”
In early 2016, an American hacker broke into the servers of hotel website Booking.com and stole details of thousands of hotel reservations in countries in the Middle East. After two months of research, four Booking.com IT-specialists determined that the hacker was a man who had close ties with American intelligence services.
…
[The] IT-specialists … were uncomfortable with the management’s decision to remain silent about the data breach, according to sources. … With the assistance of American private investigators, Booking.com’s security department was able to identify the hacker after two months—an American (‘Andrew’) who worked for a company that carried out assignments from American intelligence services. … In 2013, information leaked that the Americans spied on hotel websites in order to monitor travel movements of foreign diplomats and to place wiretapping equipment inside hotel rooms.
…
Response [from] Booking.com: “Data security is a top priority for us and we are continually innovating the robust processes and systems we have in place to protect our customers and partners. … We confirmed that no sensitive or financial information was accessed. [The law] guided companies to take further steps on notification only if there were actual adverse negative effects.”
SRSLY? Gareth Corfield adds a dash of hyperbole—“Dutch newspaper accuses US spy agencies of orchestrating 2016 Booking.com breach”:
“Cold comfort”
The company failed to tell anyone when it became aware of what happened, according to explosive revelations [in] a new book written by three Dutch journalists. … Although the accommodation booking website reportedly asked the Dutch AIVD spy agency for help with the breach after its internal investigation identified … connections to US spy agencies, it did not notify either its affected customers or data protection authorities in the Netherlands at the time, the newspaper alleged.
…
[You] might shrug and mutter “spies spy,” [but] evidence of the theft of bulk data by third parties … will be cold comfort to anyone who made a Booking.com reservation in the Middle East at the time.
And Dan Goodin makes a welcome return—“Booking.com was reportedly hacked”:
“Plant bugs in their rooms”
According to the book De Machine: In de ban van Booking.com … (The Machine: Under the Spell of Booking.com) … the internal name for the breach was the “PIN-leak,” because the breach involved stolen PINs from reservations. … The person behind the hack accessed thousands of hotel reservations involving … Saudi Arabia, Qatar, and the United Arab Emirates [and] involved names of Booking.com customers and their travel plans.
…
Data related to hotels and travel has long been a highly sought-after commodity among hackers working for nation states. In 2013, [Edward Snowden] revealed “Royal Concierge,” a program … that tracked bookings at 350 upscale hotels across the world. The spies used the data to identify the hotel where targets of interest were staying so field operatives could then plant bugs in their rooms. In 2014, Kaspersky Labs disclosed Dark Hotel, a yearslong campaign that used hotel Wi-Fi networks to infect the devices of targeted guests with the aim of gaining access to a company’s sensitive information.
Booking.who? rawgabbit brings it home:
Booking.com’s parent company [NAS:BKNG] also owns: Priceline, Agoda, Rentalcars.com, KAYAK and OpenTable. It also has “subsidiary brands”: Rocketmiles, Fareharbor, HotelsCombined, Cheapflights and Momondo.
Can you say “double standards”? Richardprice is right:
“Every single western nation does the same”
What did you seriously think the vast array of American intelligence agencies … were spending their vast budgets on previously? Super accurate horoscopes?
The media is happy to report, “Nation states hack X,” when pointing the finger at Russia, China, NK et al … while seemingly merrily ignoring the fact that every single western nation does the same. … I mean, seriously, the US recently put into orbit one of the largest satellites known to mankind (MENTOR 8), and its sole purpose is to intercept communications from foreign nations — and its a replacement for an existing satellite.
How prevalent is this sort of thing? Here’s jacquesm:
“In the hope that nobody will notice”
If you’re a name with brand recognition, and active in a space that allows effective monitoring and/or eavesdropping on the communications of a large number of people then you can consider yourselves either already hacked or a target of various intelligence services. Also beware of employees that are overly eager to have more access than they should have—the ‘plant’ is a very effective way to gain access to data. … Access to unfiltered large amounts of data (say: production database copies, backups, reporting tools that have themselves unfiltered access) are a real risk and should be handed out with great care and oversight.
…
Companies routinely wipe hacks and data leaks under the carpet in the hope that nobody will notice. With the GDPR active they really should stop doing this, but it still happens with great regularity.
Wait. Pause. This Anonymous Coward thinks there’s “not much to see here”:
“This was a trawl for specific individuals”
Without wanting to trivialise this breach it seems the journalists in question are looking to maximise publicity for their book. Travel data leaks like a sieve its neither a surprise nor particularly newsworthy.
…
One wonders if spies were introduced to “sex-up” the story. Frankly if the average spy couldn’t get access to Booking.com data they should be fired for incompetence.
…
Itinerary information … ages pretty quickly and is mostly useless, post the actual stay. If there were spies involved, I would suggest this was a trawl for specific individuals in the [middle east] and the rest of the people’s data was chaff. If PCI or SPI had been part of the leak I suspect the Dutch regulator would have been all over them.
If so, JustReadingArs accuses them of sloppy opsec:
I’m more amazed that ‘people of interest’ would use their real names on booking.com. Wouldn’t people of wealth or interest (from certain countries listed) use associates to place reservations?
Meanwhile, greatgib calls out the PR trope:
So funny in cases like that when you have the corporate bull**** statement … like, “Data protection is our topmost priority,” when it is obviously not the case.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Ivan Radic (cc:by)
