Personal details belonging to customers of the travel giant Booking.com have been accessed by unauthorised parties, the company has confirmed, in the latest cybersecurity incident to hit the platform.
What happened in the breach?
Booking.com stated that it “noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information.” The Amsterdam-based company said that upon discovery, it “took action to contain the issue.” As a security measure, it has updated the PIN numbers for the affected reservations and informed the customers involved.
The company has declined to reveal how many customers were impacted or when the breach occurred, stating only that the incident has affected users in various regions. It has reported the matter to the Dutch privacy regulator, the Autoriteit Persoonsgegevens (AP).
What customer information was taken?
In an email to those affected, the company warned that the hackers may have accessed “certain booking information” linked to a previous reservation. The exposed data could include specific booking details, the customer’s name, email address, physical address, and phone number. Critically, it could also encompass “anything that you may have shared with the accommodation,” potentially exposing any special requests or communications sent via the platform.
Booking.com has emphasised that, in this incident, financial information such as credit card details and CVV codes was not accessed. The company is advising affected customers to take extra precautions, including being vigilant for sophisticated phishing attempts, as the stolen personal data could be used to craft convincing scam messages.
A history of security incidents
This breach is not an isolated event for the platform, which has faced a rising tide of cybercrime targeting both its systems and its vast network of accommodation partners.
In December 2018, criminals used phishing tactics to steal login details from hotel employees in the United Arab Emirates, gaining access to the data of more than 4,000 people. In that breach, credit card information of nearly 300 customers was accessed, with CVV codes compromised in about 97 cases. The Dutch AP later fined Booking.com €475,000 for reporting that breach 22 days late, missing the 72-hour deadline mandated by the GDPR. The regulator noted a high risk to victims from subsequent phishing attacks using the stolen data.
Separately, the company experienced a breach in 2016 involving an American hacker with alleged links to US intelligence services, an incident it did not report to authorities or customers at the time.
The platform has recently struggled with a proliferation of online scams. Cybersecurity analysts have reported a significant increase in phishing attacks where hackers compromise hotel accounts and then send fraudulent payment requests to guests, often using AI tools to replicate official logos and communication styles. The Australian Competition and Consumer Commission (ACCC) reported a 580% surge in scams mentioning Booking.com in 2023, resulting in over $337,000 in losses.
Furthermore, consumer watchdog Which? has highlighted security gaps in host verification on the platform. An investigation found that a property could be listed in under 15 minutes with minimal identity checks, a process less stringent than on rivals like Airbnb. This has led to reports from hundreds of users who paid for non-existent accommodations, though Booking.com has stated most such cases were due to hosts failing to update availability rather than outright scams.
Booking.com is owned by the US-based Booking Holdings, a $137bn company that also owns OpenTable, Agoda, and Kayak. The parent group states it partners with cybersecurity firms to strengthen its defences and maintains a commitment to network security across its brands. The wider travel industry continues to face pressure to tackle fake listings and improve security, with experts noting that cyber incidents are a persistent threat across the sector.
