Booking.com has confirmed a cybersecurity breach in which unauthorised third parties gained access to sensitive customer information linked to specific reservations, prompting the company to notify affected users after detecting what it described as suspicious activity within its systems.
The company said it began contacting impacted guests over the weekend and moved to contain the exposure while securing affected accounts.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
What Data Was Exposed
According to notifications sent to customers, the unauthorised access involved a range of personal and travel-related information. The exposed data may include full names and email addresses, phone numbers and physical addresses, specific reservation dates and booking references, and internal communications shared between the guest and the accommodation provider.
Booking.com said in a statement to The Guardian and other news outlets that financial information was not accessed during the incident. That indicates that credit card numbers and bank details were not compromised, although the personal and booking-related data involved could still be used for identity theft or other forms of social engineering.
Security Response and Company Statement
After identifying the suspicious activity, Booking.com said it took immediate steps to contain the issue and protect guest accounts. The company has forcibly reset PIN numbers for all affected reservations to prevent hackers from further manipulating or viewing booking details through the platform’s administrative portals.
A company spokesperson, Courtney Camp, said the travel platform acted to contain the issue immediately after detecting the suspicious activity. However, the company has not specified how many users were affected or disclosed the technical vulnerability that allowed the unauthorised access.
Phishing Risks and Wider Concerns
The incident has already been followed by reports of phishing attempts, with some users saying they received highly targeted scam messages through WhatsApp and email that used stolen reservation details to appear legitimate. Security experts warned that even without financial data, booking information remains valuable to cybercriminals because it can be used to craft convincing requests for payment details or to direct users to malicious links under the pretext of verifying a booking.
Booking.com has urged customers to remain vigilant and said it will never ask for sensitive bank information or transfers through phone calls or messaging apps. This also place the breach in a wider context for the Amsterdam-based company, noting that in 2024 researchers found spyware on several hotel computers that allowed attackers to take screenshots of the Booking.com administration portal, and that Dutch regulators fined the company EUR 475,000 in 2021 for failing to report an earlier data breach within the required timeframe.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
