When Aggregation Sites Are Targeted: The Booking.com Ripple Effect

A spate of phishing incidents targeting users of Booking.com highlights the challenge of managing risky supply chains, finds Phil Muncaster

As the digital world continues to expand, aggregation sites offer a welcome respite for eyesore consumers sick of trawling the internet for the best deals. For businesses listed with these platforms, there’s the prospect of reaching a potentially vast and readymade market of future customers. But what happens when things go wrong? It’s not necessarily easy to determine who’s legally liable when those customers are targeted by hackers who have obtained sensitive personal and booking information.

For businesses planning to list on such sites, it may be time to take a detailed look at the data protection implications and risks of doing so.

Why aggregators mean business

Aggregation sites bring buyers and sellers together, bringing order to the chaos of the internet for consumers and delivering new business opportunities for the companies whose products and services are listed. They are most popular in markets where users would otherwise be forced to trawl multiple individual vendor websites to find what they want. Perhaps best known are hotel, airline and travel booking aggregation sites. However, many others can be found in online retail, food delivery and restaurant bookings, property rentals/purchases, and financial services.

Such platforms help consumers to make sense of a messy and complex digital world, accelerating the journey to better-informed purchasing decisions and improving the chances that users can find the best deals. For businesses listing on them, it’s all about providing access to new customers and markets that may otherwise be difficult or expensive to reach. They may also be able to buy anonymised data sets to improve marketing efforts. From an economic perspective, this aggregation of supply and demand makes for greater market efficiency. In theory, everyone wins—especially the aggregation sites themselves, which can end up amassing huge volumes of highly monetisable user data.

The challenge for businesses operating in these environments is that this information is a potential goldmine for fraudsters.

A cautionary tale

Concerns about such risks have been raised many times in the past. Rumours have been swirling for years that Booking.com may have been breached after customers who booked through the site were subsequently targeted with phishing emails and texts. These missives sometimes contained legitimate-looking sender domains associated with the aggregation site, as well as correct booking details. In one case, clicking through on an email led the victim to a near-perfect replica of the Booking.com site with all of their booking information displayed – including booking name, dates of stay, hotel name and exact fare. The end goal on this occasion was to trick the user into clicking through and ‘paying’ for their stay, which would have effectively handed the scammers their credit card details.

“Some hotel groups have a love/hate relationship with third-party booking sites as some of them are scams too” Jonathan Armstrong

These incidents and similar scams date back at least as far as 2014 and are ongoing today. In all of the cases reviewed by Assured Intelligence, Booking.com denied being hacked, claiming that employees working for partner hotels had been compromised via phishing attacks. The hackers presumably used this access to obtain customer information and send phishing messages to those customers. The booking aggregation site said it recently blocked these partner accounts to minimise risk and made its support team available to work with the affected hotels.

However, an aggregation site could be compromised in several ways, from phishing emails targeting staff members to attacks designed to exploit vulnerabilities in its code. Several such bugs were found in the Booking.com platform, which could have enabled hackers to hijack user accounts completely and steal any personal information. Aggregation sites also have their own suppliers, which can unwittingly increase the risk of third-party compromise. One is Spanish developer Prestige Software, which helps hotels automate their availability on travel aggregation websites like Expedia, Booking.com, Agoda and Hotels.com. In 2020, researchers found the personal information of millions of hotel guests leaked online after Prestige Software misconfigured a cloud server.

Who’s to blame?

This raises some tricky questions about legal liability if data is accessed and used to defraud customers. In the case of Booking.com, if the aggregation giant is correct, it appears the blame lies with the small number of hotels whose employees have been tricked into divulging their back-end Booking.com credentials. But things can get complicated quickly in these aggregation ecosystems, warns Cordery partner Jonathan Armstrong.

“From hotel work I’ve done, there’s likely to be lots of different data controllers involved, each with their own responsibility for bits of data,” he tells Assured Intelligence. “In one of the cases we looked at, there were seven different data controllers for one stay.”

If the aggregation site itself is breached, then it is most likely its own responsibility to report the breach, take steps to remediate it, and/or force suppliers to do the same, Armstrong continues.

“However, I think the risk is hard to manage. Some hotel groups have a love/hate relationship with third-party booking sites as some of them are scams too,” he argues. “They can try and alter the access agreement on their site to make the terms of use clearer, but that’s never going to be foolproof.”

Taking steps to reduce risk

Any organisation looking to list on an aggregation site should, therefore, have one eye on the potential legal implications, says Armstrong.

“Businesses can also help mitigate the risks posed by aggregation partners by conducting effective research on the partner’s security practices” Lewis Duke

“Ask your data protection officer (DPO) or legal team to look properly at the risk. If the third party is an official partner, ensure you have a proper contract with them,” he advises.

For Trend Micro SecOps risk and threat intelligence lead Lewis Duke, there are several steps businesses should consider before signing up for an aggregation site. These include requiring that the firm deploys strong encryption when transmitting data to prevent it from being intercepted and that it has robust identity verification checks for users.

“Businesses can also help mitigate the risks posed by aggregation partners by conducting effective research on the partner’s security practices. This includes looking for things like a commitment to regular security assessments and employee awareness training,” he tells Assured Intelligence.

“Also, ensure that data protection agreements (DPAs) are in place. These are legally binding contracts that outline the responsibilities of each party in terms of data protection. They should include provisions like breach notification and data subject rights.”

This should also go hand-in-hand with efforts to enhance in-house security policies and processes to list with an aggregator. This will help to mitigate the risk associated with attacks targeting hotels for log-ins, as per the Booking.com cases outlined above. The UK’s National Cyber Security Centre (NCSC) is a valuable resource, especially its high-level ’10 Steps’ and phishing awareness guidance.

The bottom line is that as the digital world grows, demand for aggregation sites will only increase with it. The more popular platforms will continue to invest in security to protect the growing volume of user data they store. But no organisation can be 100% breach-proof. And often, simply by partnering with aggregators, individual businesses may be singled out for attention as a weak link in the security chain.

“Make sure you rehearse incidents like this,” concludes Cordery’s Armstrong. “As AI expands, aggregator sites will become even more prevalent, which means incidents like this are more likely to happen. Be prepared.”