Booking.com data breach

Booking.com said on April 13 that hackers accessed some customers’ reservation data and that affected reservation Personal Identification Number codes were reset. (techcrunch.com) The company said the exposed information may include names, email addresses, phone numbers, home addresses and booking details tied to specific stays. Booking.com told customers it “immediately took action to contain the issue,” according to notices reviewed by multiple outlets. (forbes.com) Booking.com has not said how many customers were affected or how attackers got in. Reports published on April 13 and April 14 said the company has so far disclosed the breach in broad terms and has not released a full incident timeline. (skift.com) A reservation record is useful to scammers because it can include where you are staying, when you are arriving and how the hotel usually contacts you. That lets criminals send messages that look tailored to a real trip instead of a random spam email. (cybernews.com) Booking.com’s own traveler safety guidance says legitimate payments or reservation changes will not require gift cards or credit card details by phone, text message or email. Its partner guidance also warns that account takeovers can lead to guests receiving fake payment requests that appear to come from a property. (booking.com) That warning lands after years of travel-booking scams built around stolen or hijacked reservation messages. In 2023, Booking.com publicly described phishing as a common attack path against accommodation partners because those accounts hold guest reservation data and payment details. (booking.com) The company’s partner documentation says signs of unauthorized access include guests getting payment requests that did not originate from the property and changes to contact information, rates or availability. That means travelers may see convincing messages even when the hotel itself did not send them. (booking.com) For customers, the practical issue is not only what was viewed, but what could be done with it next. Booking.com and outside security reporting have both pointed users toward the same risk: phishing emails, text messages and phone calls that use real reservation details to ask for money or more personal data. (pcmag.com) Booking.com said affected users were notified directly, and reporting on April 14 said travelers who got those notices should treat any follow-up contact about a booking with extra caution. The company has not said when it will publish a fuller accounting of the breach. (computing.co.uk)