What Happened
Booking.com, the Amsterdam-based online travel platform, has started sending notifications to an undisclosed number of customers warning them that an unauthorized third party may have gained access to information associated with their travel reservations. The notifications, which affected users shared publicly online, indicate that data such as names, email addresses, phone numbers, and details shared with accommodations may have been exposed.
When contacted by SecurityWeek, Booking.com was careful to clarify that customer accounts themselves were not breached. Instead, the company described detecting "suspicious activity involving unauthorized third parties being able to access some of our guests' booking information."
Scope Remains Unclear
Despite confirming the incident, Booking.com has offered limited details about how exactly the attackers were able to reach the data. It remains unknown whether the company's own systems were directly compromised or whether the threat actors exploited some other pathway to obtain the information. The total number of users affected by the breach has also not been disclosed, leaving many customers uncertain about their exposure.
Company Response
A Booking.com spokesperson addressed the incident via email, stating:
"We took quick action and the issue has been fully contained. We have updated the PIN number for these reservations and informed our customers accordingly."
The spokesperson further noted that no financial or payment information was accessed during the incident. As a precautionary measure, the company is urging affected customers to stay alert to potential phishing attempts. Booking.com also reinforced that it will never ask for credit card details by email, phone, WhatsApp, or text message, nor will it ask customers to make a bank transfer that differs from the payment details included in their booking confirmation.
Phishing Risks for Affected Customers
Even though financial data was reportedly not obtained, the type of personal information that was potentially accessed — names, email addresses, and phone numbers — is precisely the kind of data that cybercriminals use to craft convincing phishing and social engineering attacks. Customers who received notifications should be especially cautious of any unexpected communications claiming to be from Booking.com or affiliated hotels and accommodations.
- Do not click on links in unsolicited emails or text messages claiming to be from Booking.com.
- Verify any payment requests directly through the official Booking.com website or app.
- Be suspicious of any communication asking for credit card numbers or bank transfers not reflected in your original booking confirmation.
A Pattern of Targeting the Hospitality Sector
This incident is not the first time Booking.com or the broader hospitality industry has found itself in the crosshairs of cybercriminals. The platform has previously been linked to security concerns, including a sophisticated ClickFix campaign that targeted the hospitality sector, as well as critical vulnerabilities that researchers demonstrated could allow full account takeover on Booking.com. Travelers have also been affected by separate incidents, such as the data breach involving Eurail in which traveler information was stolen.
The repeated targeting of travel and hospitality platforms underscores the value that threat actors place on reservation data, which can be leveraged for fraud, identity theft, and targeted phishing campaigns.
What Customers Should Do Now
Booking.com says it has already updated the PIN numbers associated with the impacted reservations and has notified affected customers. If you have not yet received a notification but are concerned, security experts generally recommend the following steps:
- Check your email for any official notification from Booking.com regarding your reservation.
- Review your account activity for any unauthorized changes.
- Be vigilant about phishing emails, particularly those referencing your real travel plans or booking details.
- Contact Booking.com's customer support directly if you suspect your reservation data was involved.
As of the time of reporting, Booking.com has not issued a broader public statement beyond the spokesperson comments provided to SecurityWeek, and the full scope of the incident is yet to be determined.
Source: SecurityWeek