At least a hundred Dutch hotels have fallen victim to a large-scale data breach. As a result, hackers have gained access to reservation data for thousands of guests. Hospitality group Hospecs has confirmed this to the NOS and others. Guests with an active booking are at risk of receiving convincing phishing messages and fake payment requests.
Hospecs Managing Director Tim Vissers posted an appeal on LinkedIn after the company received reports of data breaches at affiliated hotels. Responses came in quickly. “New reports are now coming in every minute,” says Vissers. “This problem is truly massive.” He is now also receiving reports from Belgium and Ireland.
The breach affects hotel guests’ contact information, arrival dates, and departure dates. Guests with active reservations are then contacted by criminals who try to convince them to transfer additional money. ICT Magazine has reviewed dozens of these messages, some of which appear very convincing. Several readers reported that they had notified their hotels, but that some parties simply stated they had not been hacked or knew nothing about it.
Criminals exploit booking data
What makes this incident particularly dangerous is the precision with which the attackers operate. They have access to real reservation data, which allows them to approach guests credibly. That information should normally only be known to the hotel and the guest.
Exactly how the hackers gained access is not yet clear. Vissers does not believe this is a security incident at the hotels themselves. The problem likely lies with a shared software provider used by multiple hotels. An investigation into the cause is still ongoing.
Other news: Hackers tipped of Dutch telco Odido about it’s own data breach
A Pattern in the Travel Industry
This is not the first time the hotel industry has faced this type of attack. In September 2025, the Van der Valk group fell victim to a similar attack, in which guests’ reservation data fell into the hands of criminals. The guests were then contacted with fake payment requests that matched their actual bookings. Travel agency Sunweb was also previously hit by a cyberattack, in which names, email addresses, and booking information were stolen.
Booking.com was at the center of a similar incident in January 2026. Criminals sent fake payment requests to guests via hijacked hotel accounts on the platform, with the number of victims increasing annually. The Dutch Data Protection Authority requires organizations to report a data breach within 72 hours. Whether and when Hospecs or the affected hotels have already done so has not been disclosed. The investigation into the exact cause is still ongoing.