Booking.com discloses guest data breach
Booking.com has disclosed a data breach that exposed guest details including names, emails, phone numbers, addresses and reservation information; the responsible threat actor wasn’t named in the disclosure. The company’s announcement surfaced on social channels as security researchers shared initial summaries of the exposed fields (x.com/H4ckmanac/status/2043954371604492534).
Booking.com told affected customers that unauthorized third parties may have accessed reservation data tied to their trips, and it reset reservation PIN codes. (forbes.com) The company said the exposed information may include names, email addresses, phone numbers, street addresses and booking details. Booking.com said it took action to contain the incident after detecting suspicious activity. (techcrunch.com; forbes.com) Booking.com did not identify the threat actor in its public comments, and early reports said the company had not disclosed how many customers were affected. BleepingComputer reported the company confirmed unauthorized access to its systems, while Skift said the notice left key scope questions unanswered. (bleepingcomputer.com; skift.com) The data involved is the kind criminals use for follow-on scams: a real name, a real hotel stay, and a real arrival date can make a fake payment message look legitimate. Booking.com’s own traveler safety guidance says no legitimate transaction should require gift cards or credit card details by phone, text message, or email. (securityboulevard.com; booking.com) That risk is not theoretical in travel. Malwarebytes documented campaigns in which attackers hijacked hotel-side booking systems and used genuine reservation details to send fraudulent payment requests to guests. (malwarebytes.com) Booking.com sits inside a much larger travel network. Parent company Booking Holdings said last week that its brands operate in more than 220 countries and territories, and its 2025 gross bookings reached $186.1 billion. (bookingholdings.com; bookingholdings.com) The company has faced regulatory scrutiny over breach reporting before. The Dutch Data Protection Authority fined Booking.com €475,000 in 2021 after a separate incident involving more than 4,000 customers was reported late; the regulator said credit card data was exposed for nearly 300 people in that case. (autoriteitpersoonsgegevens.nl) For travelers, the immediate change is practical: treat any message about an upcoming reservation with more suspicion, especially if it asks for payment or verification outside Booking.com’s normal channels. For Booking.com, the next test is whether it releases firmer numbers and a clearer account of how the intrusion happened. (forbes.com; skift.com)
