Share
Travel giant Booking.com has confirmed it has suffered a significant data breach, prompting warnings of sophisticated “reservation hijacking” scams targeting holidaymakers.
The Amsterdam-headquartered company began notifying an undisclosed number of customers this week that unauthorised third parties had gained access to sensitive booking information, prompting an immediate reset of security PIN codes for both current and past reservations.
While the firm has moved to reassure users that its internal payment systems were not compromised, cybersecurity experts warn that the stolen data is a “gold mine” for fraudsters. According to reports from multiple sources, the breach has exposed customer names, email addresses, phone numbers, and specific travel itineraries – including dates and the names of hotels booked through the platform.
The incident was first identified by the company on Sunday, April 12, following “suspicious activity” linked to certain reservations. In a statement, Booking.com said it had “taken action to contain the issue” and was communicating directly with affected guests.
However, the travel service, which has processed nearly seven billion check-ins since 2010, has so far refused to disclose exactly how many people have been affected or the specific region where the hack originated.
The rise of ‘reservation hijacking’
The primary danger for consumers now lies in a technique dubbed “reservation hijacking” by the security firm Norton. Unlike traditional phishing, where scammers send generic emails, this data leak allows criminals to craft “precision” messages.
By referencing a victim’s actual travel dates and the specific hotel they are visiting, fraudsters can impersonate hotel staff or Booking.com customer service with terrifying accuracy.
As Joe Tidy, BBC Cyber Correspondent, reports, some customers have already been targeted by these scams. Victims are often contacted via WhatsApp or text message and told there is a “problem” with their payment that requires them to re-enter their credit card details or make a direct bank transfer to secure their stay.
Luis Corrons, a security evangelist at Norton, warned that the accuracy of the stolen data makes these scams feel like “routine customer service,” making it far easier to trick even tech-savvy travellers.
The breach appears to have impacted a wide range of users, including those with cancelled or past bookings. Some property managers have reported on social media that their clients’ security PINs were updated without warning, leading to confusion at check-in desks.
Darren Guccione, CEO of Keeper Security, told the Guardian that the speed at which the data has moved from exfiltration to active phishing campaigns suggests a “deliberate and organized” effort by cybercriminals.
Lisa Webb, Which? Consumer Law Expert said:
“Which? has repeatedly sounded the alarm about the lack of robust safeguards on Booking.com and the sheer scale of scams reported on the site. We’ve even presented evidence of fraud issues to Ofcom before, and asked it to investigate whether the platform was doing enough to comply with the Online Safety Act.
“It comes as no surprise that criminals are yet again taking advantage of the Booking.com platform to target its customers.
“If you are a Booking.com customer, change your password and be vigilant with any correspondence coming in from people purporting to be from booking.com ( or accommodation providers.”
Booking.com has reiterated that it will never ask guests for credit card details or bank transfers via email or text. Travellers are advised to remain hyper-vigilant and to verify any “urgent” requests regarding their stays by contacting the hotel directly through a known, official telephone number.
Related Posts
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.