Booking.com, one of the world’s largest online travel platforms serving millions of users globally, has confirmed a cybersecurity incident allowing unauthorised third parties to access personal and booking information for an undisclosed number of customers, prompting notifications to affected guests and warnings against phishing follow-on attacks. The company detected suspicious activity, contained the breach and updated reservation PINs, but has not disclosed the incident timeline or total impact scope.
The breach exposed names, email addresses, phone numbers, physical addresses, booking details and any accommodation-shared information. Courtney Camp, Booking.com spokesperson, told TechCrunch: “We noticed some suspicious activity involving unauthorised third parties accessing some guests’ booking information. We took action to contain the issue and informed our guests”.
Customer Notifications Detail Limited Scope
Emails to impacted users reference “a number of reservations” potentially viewed by attackers, without specifying dates or volumes. Reddit users shared identical notices confirming exposure of contact details and booking metadata, but no payment card data or passwords. Booking.com assured PIN updates and guest notifications per GDPR timelines.
The company emphasised investigation continuity but withheld breach origin, duration or attacker attribution. No official statement beyond customer communications has been issued.
Phishing Campaigns Target Victims
Post-breach phishing surges: WhatsApp scams impersonate “check-in managers” wielding full booking details—names, cards, hotels, IDs—to lure victims to fake sites for 3D Secure verification. Reddit reports detail sophisticated lures with hotel photos; one user blocked scammer after domain check, another noted in-app hotel warnings.
Scammers exploit “pay-on-arrival” bookings, avoiding stored cards but leveraging metadata for social engineering. Spam emails using full names indicate data sales on dark markets. Experts warn monitoring cards, avoiding unsolicited links and reporting suspicious contacts.
Travel Sector’s Persistent Vulnerability
Booking.com’s breach follows Expedia (2023: 880K users exposed) and Hotels.com (2024 payment compromise), confirming OTAs as prime targets due to travel data’s fraud value—names, contacts, bookings enable account takeovers, fake reservations and identity theft through sophisticated social engineering.
GDPR penalties loom large: €20M or 4% global turnover possible; Booking.com’s 2021 €475K fine for notification delays sets precedent. WhatsApp “check-in manager” scams—using full victim profiles—bypass email filters by exploiting traveller urgency.
Immediate consumer actions include credit monitoring across bureaus, bank ACH alerts, universal MFA and virtual cards for bookings. Industry needs OTA security consortiums with API encryption and shared threat intelligence as investigation continues.
