Booking.com Data Breach
Booking.com confirmed a data breach that exposed customer reservation information and communications, though the company has given few details. Multiple outlets reported the exposure of sensitive booking records and message histories, highlighting risks tied to operational travel data. (techzine.eu) (technadu.com) (indiantelevision.com)
Booking.com said on April 13 that hackers accessed some customers’ reservation data and changed affected booking confirmation PINs. (bleepingcomputer.com) Emails reviewed by multiple outlets said the exposed information could include names, email addresses, phone numbers, home addresses, booking details, and notes guests sent directly to properties. Booking.com told affected users it had detected “suspicious activity” tied to a number of reservations. (dutchnews.nl) The company said payment or credit card data was not accessed, but it has not disclosed how many reservations were affected, when the breach began, or whether the intrusion hit Booking.com directly or a partner system. (dutchnews.nl) (theregister.com) Reservation data is operational travel data: names, dates, contact details, and messages that let a hotel stay actually happen. In this case, that matters because stolen trip details can make scam calls, emails, or text messages look tied to a real booking. (theregister.com) Booking.com has warned its hotel partners for more than a year that phishing is the most common way organizational breaches begin and that criminals target guest reservation data through partner accounts. The company says it can disable links in partner-to-guest messages when it detects suspicious account activity. (booking.com) That history has shaped the response to this incident because Booking.com’s messaging system has been abused before after hotel accounts were compromised. The company has not said whether this breach followed that pattern. (theregister.com) Booking.com has faced regulator scrutiny before. In March 2021, the Dutch Data Protection Authority fined the company €475,000 over a separate breach involving more than 4,000 customers and nearly 300 stolen credit card records because it reported the incident too late. (autoriteitpersoonsgegevens.nl) For travelers, the immediate change is practical: a real reservation number, a changed PIN, and exposed message history give criminals enough context to craft believable follow-up messages. Booking.com says the issue is contained, but it is still withholding the basic facts that would show how wide the breach was. (forbes.com) (dutchnews.nl)
