Booking.com confirms customer data accessed in cyber incident

Stresses no financial information accessed

Travel booking platform Booking.com has confirmed that hackers accessed customer information following what it described as "suspicious activity" involving unauthorised third parties.

The company says it identified the breach after detecting unusual access to some guests' booking data.

"Upon discovering the activity, we took action to contain the issue," the company told The Guardian. "We have updated the pin number for these reservations and informed our guests."

While the company declined to disclose how many customers were affected, it stressed that no financial information had been accessed during the incident. However, in emails sent to customers, Booking.com acknowledged that attackers may have obtained "certain booking information" linked to past reservations.

This could include names, email addresses, phone numbers, postal addresses, booking details, and any information shared directly with accommodation providers.

Booking.com is owned by Booking Holdings, which also operates platforms including OpenTable, Agoda and Kayak. The firm, headquartered in Amsterdam, connects millions of travellers worldwide to accommodation, transport and experiences, listing more than 30 million properties globally. The group employs more than 24,000 people globally and reported billions in annual revenue.

Phishing concerns

The breach has prompted concern among users, with several reporting suspicious communications shortly after the incident.

Some customers said they received phishing emails and WhatsApp messages referencing upcoming trips.

One user described receiving repeated phone calls from individuals claiming to represent a travel agency and seeking to confirm reservations. When pressed for verification, the callers reportedly became evasive or abruptly ended the conversation.

Others reported messages from individuals posing as hotel staff, including so-called "check-in managers", attempting to extract further details about bookings.

Such tactics are consistent with targeted phishing campaigns, where stolen booking data is used to lend credibility to fraudulent messages.

Unanswered questions

Booking.com has not disclosed how the breach occurred, whether any group has claimed responsibility, or whether the accessed data was removed from its systems. It also remains unclear when the intrusion was first detected.

However, one Reddit user claimed they had reported a security breach 15 days earlier, but said the company responded that everything appeared normal on its systems.

"After several unanswered emails and calls, Booking.com decided to flee and blame the hotel regarding the data leakage," the user said.

Booking.com has faced increasing challenges with online scams in recent years, including fraudsters impersonating hotels to request payment details from customers.

In January, Securonix disclosed a "click-fix" phishing campaign linked to Russian hackers, aimed at deceiving Booking.com users into installing malware on their devices.

The attackers reportedly sent spoofed emails impersonating hotels, warning recipients of a cancelled reservation and a large charge, encouraging them to click on malicious links to investigate.

In 2018, attackers used phishing techniques to obtain login credentials from hotel staff in the United Arab Emirates, enabling them to access the booking data of more than 4,000 customers on the platform.