Booking.com confirms reservation-data breach

Booking.com said on April 13 that hackers may have accessed some customers’ reservation data and that it reset PIN codes tied to affected bookings. (bleepingcomputer.com) The company told customers that the exposed information could include names, email addresses, phone numbers, booking details, and messages shared with a property. Booking.com said it contained the issue and notified affected guests directly. (techcrunch.com) Booking.com has not said how many customers were affected or who was behind the breach. It also told reporters that financial information was not accessed. (pcmag.com) A reservation record is valuable to scammers because it can make a fake message look real. A WhatsApp text or email that includes a hotel name, stay dates, or a booking reference is more likely to persuade a traveler to click or pay. (techcrunch.com) Booking.com’s own partner guidance says phishing is a scam in which someone pretends to be a trusted sender to steal money or data. The company says accommodation-partner accounts are frequent targets because they hold guest names, phone numbers, and payment-related information. (booking.com) That warning follows more than two years of travel-themed fraud reports around the platform. In January, Action Fraud in the United Kingdom said it had received 532 reports between June 2023 and September 2024, with losses totaling £370,000 after criminals took over hotel accounts and sent payment requests to guests. (citizensadvicelancashirewest.org.uk) In November 2024, Booking.com told KrebsOnSecurity that one partner had suffered a security incident that exposed customer booking information, while saying its internal systems were not compromised in that case. Booking.com also said it requires two-factor authentication for partners to access payment details securely. (krebsonsecurity.com) The new disclosure is different because Booking.com is now telling customers directly that unauthorized parties may have accessed reservation information linked to their bookings. For travelers, the practical change is that any unexpected message about an upcoming stay now carries more risk of being tailored with real details. (bleepingcomputer.com) Booking.com said it changed reservation PINs for affected bookings and reminded users that it will not ask for sensitive information or bank transfers by email or phone. The next test is whether customers can spot the fake messages before scammers turn real itinerary data into real charges. (bleepingcomputer.com)