In early 2016, an American hacker broke into the systems of hotel website Booking.com and stole details of thousands of reservations at hotels in countries in the Middle East.

After two months of investigation, four specialists from Booking unmasked the burglar as a man who had close ties with the American intelligence services. That writes the Dutch newspaper NRC.

Booking.com asked the Dutch intelligence service AIVD for help with the investigation into the extensive data theft but did not inform affected customers and the Dutch Data Protection Authority (AP).

The company was not legally obliged to do so at the time; the management ruled on the advice of law firm Hogan Lovells. The AP declined to comment.

Security specialists at Booking.com were uncomfortable with the decision to remain silent about the data breach, say those involved. Experts are also critical. Under the then-current privacy law, a company was required to notify a data subject of data theft if it “would likely adversely affect their privacy.”