Ask Onix
Travel giant confirms customer data breach amid scam surge
Booking.com has acknowledged a security incident exposing customer details, which security experts warn could trigger a wave of sophisticated scams targeting travelers. The company has begun notifying affected users but has not disclosed the scale or geographic reach of the breach.
How the breach unfolded
In emails reviewed by the BBC, Booking.com stated that it detected "suspicious activity" affecting multiple reservations and took immediate steps to contain the issue. Hackers accessed names, email addresses, phone numbers, and booking histories-though the company insists financial data remained secure.
Cybersecurity firm Norton has labeled the emerging threat "reservation hijacks," where fraudsters impersonate hotels to deceive customers into transferring money under false pretenses. The stolen data allows criminals to craft highly convincing messages by referencing real properties, travel dates, and contact details.
"This new data makes scams far more dangerous. Criminals can now mimic routine customer service interactions with alarming precision,"
Luis Corrons, Security Evangelist at Norton
Company response and customer warnings
Booking.com has updated reservation PINs and urged users to stay alert for phishing attempts. The company emphasized that it will never request credit card details via email, phone, WhatsApp, or text, nor ask for bank transfers outside the original booking confirmation terms.
Despite implementing new safety measures, the platform has faced criticism for its handling of past scams. One customer told the BBC she felt "failed" after losing money, while others have reported similar incidents since early 2023.
Why this breach is different
Historically, reservation hijacks relied on hackers breaching hotel accounts on Booking.com to send phishing messages. The latest breach eliminates this step, allowing fraudsters to directly target customers with authentic-looking details.
"When a breach at this scale escalates to active phishing campaigns within days, it suggests a deliberate strategy rather than opportunistic crime,"
Darren Guccione, CEO of Keeper Security
Industry-wide implications
The incident underscores growing vulnerabilities in the hospitality sector, where large platforms like Booking.com-with nearly seven billion check-ins since 2010-remain prime targets for cybercriminals. Experts advise travelers to verify any payment requests through official Booking.com channels before taking action.
