Shared booking-SaaS breach exposes guests at 100+ Dutch/Belgian/Irish hotels; phishing wave

More than 100 hotels in the Netherlands plus properties in Belgium and Ireland had guest reservation records (names, contact details, arrival/departure dates) exposed through a shared booking / channel-management / property-management SaaS layer rather than any single hotel's own systems (DutchNews.nl, 2026-06-03 · Techzine EU, 2026-06-03). Hospecs, coordinating the response, attributes the root cause to the upstream provider; the Dutch DPA (Autoriteit Persoonsgegevens) has opened an investigation and GDPR Art. 33/34 clocks are running for each hotel as an independent controller. Criminals are already sending contextually accurate "confirm and pay for your reservation" phishing referencing real upcoming stays. Defender takeaway: a textbook upstream-SaaS supply-chain breach where every downstream customer carries controller liability with zero visibility into the compromise — hunt for anomalous bulk-read API calls against reservation endpoints and treat reservation-context phishing as a known follow-on.

Dutch National Police arrested a 35-year-old man from the municipality of Buren on 2026-05-26 on suspicion of computer trespass (computervredebreuk) against AFC Ajax Amsterdam, following an investigation triggered by Ajax's own disclosure in late March 2026 (BleepingComputer, 2026-05-27; The Record, 2026-05-27; NL Times, 2026-05-26; AFC Ajax victim statement, 2026-03-25). Investigators searched the suspect's residence and seized multiple digital storage devices. Ajax's own statement (issued at the time of the original March 2026 disclosure) attributes the breach to an unauthorised actor who accessed Ajax systems and exfiltrated data; BleepingComputer and The Record, citing the Dutch police release, report the underlying API flaw exposed more than 300,000 fan accounts and 42,000+ season-ticket holders (BleepingComputer, 2026-05-27; The Record, 2026-05-27). RTL reporting cited in BleepingComputer notes the attacker demonstrated the ability to reassign a VIP season ticket in seconds and modify stadium-ban records. Ajax filed an Article 33 GDPR notification to the Dutch Autoriteit Persoonsgegevens (AP) and a criminal complaint; the underlying gap has since been patched.

Defender takeaway: the recurring pattern — REST or mobile-app backend with shared API keys and weak per-object authorisation checks — is directly transferable to public-sector citizen portals (tax, transport, identity, healthcare appointment systems). Hunt hypothesis: review application logs for sequential ID enumeration on resource endpoints (/ticket/{id}, /account/{id}) from authenticated low-privilege sessions; alert on cross-account modification requests where the authenticated principal does not own the target object (textbook BOLA / IDOR signal — mapped to T1190 Exploit Public-Facing Application and T1078 Valid Accounts). Hardening: enforce per-object ABAC at the API gateway; rotate any "shared" backend API keys; treat the mobile/REST estate as in-scope for the same threat model as the customer web front.

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education environments (Google Threat Intelligence Group, 2026-05-25; Mandiant Vulnerability Disclosures MNDT-2026-0009). The root cause (CVE-2026-5426) is identical pre-shared ASP.NET machineKey values shipped across all customer installations by default: any party who recovers the hardcoded key from one instance can forge a valid signed/encrypted ViewState payload and replay it against any other deployment. Because ASP.NET ViewState is deserialized through ObjectStateFormatter → BinaryFormatter, a forged payload yields arbitrary .NET object-graph deserialization and remote code execution (T1190). Mandiant states the flaw was exploited as a zero-day prior to the 2026-02-24 patch.

Post-exploitation, the actor deployed BLUEBEAM (a variant of the Godzilla web shell) that runs entirely inside the IIS worker process w3wp.exe — no shell file on disk — receiving commands over encrypted HTTP POST (T1505.003, T1071.001), then injected content into the LMS to mount a watering-hole attack against its users (T1189). Targeting is Japan-primary, but the transferable lesson is broad and urgent for CH/EU public-sector .NET estates: audit every ASP.NET application for shared or default machineKey values and rotate to unique, cryptographically strong per-deployment keys — there is no default-config toggle that removes the shared-key risk. Hunt for Windows Application-log Event ID 1316 (ViewState validation failure — Mandiant notes even successful exploitation generated these) on LMS-adjacent web servers, and for w3wp.exe spawning cmd.exe/powershell.exe/cscript.exe or making unexpected outbound connections (Sysmon EID 1 with a parent-image filter on w3wp.exe). Because BLUEBEAM is memory-resident with no on-disk shell file, live-memory collection on the IIS worker is the primary post-exploitation detection path.

CVE Summary Table