A data breach at Booking.com has exposed customer bookings. “Unauthorized third parties” gained access to this information, but the extent of the breach or when it occurred is unknown. However, the company hopes to reassure customers by stating that the issue has since been resolved.
Booking.com confirmed the breach on Sunday evening. In an email to affected guests, the company states that it has detected “suspicious activity affecting a number of reservations.” Investigators determined that attackers may have accessed names, email addresses, physical addresses, and phone numbers. Booking details and information that customers shared with their accommodations may also have been compromised.
Booking.com has not disclosed exactly how many customers were affected or when the attack took place. The company has not responded to questions from the ANP regarding this matter.
Booking.com a frequent target
The Booking.com platform is no stranger to attempted attacks. Sometimes this has led to data breaches. In 2018, for example, criminals used phishing to steal login credentials from hotel employees in the United Arab Emirates, thereby gaining access to booking data for over 4,000 customers. At the time, Booking.com reported the breach to the Dutch Data Protection Authority 22 days late—far too late to meet the 72-hour requirement under the GDPR. This resulted in a fine of 475,000 euros from the privacy watchdog.
Even after that incident, the platform remained a prime target. In June 2024, Booking.com reported that phishing attacks on travelers had risen by 900 percent, partly due to cybercriminals’ use of AI. Early this year, criminals also managed to gain access to hotel accounts and sent fraudulent payment requests to guests via the platform’s messaging feature. Because the messages appeared to come from genuine hotel accounts, they were difficult to recognize as fake.
Details remain unclear
Regarding the current incident, Booking.com states that the affected guests have been informed and that the issue is under control. The company provides no explanation of the exact cause of the breach or which systems were involved. The question of how many people were affected also remains unanswered.
In that regard, this is a far from helpful approach; some companies share a post-incident analysis following a technical breach. This is partly to warn other organizations, but it also highlights where a platform’s security measures need improvement. For now, Booking.com has not done so.
Read also: Mazda investigates data breach following vulnerability in internal IT system