Booking.com has warned customers that unauthorised parties accessed reservation data in a cyber incident disclosed on Monday, with personal details linked to past bookings potentially compromised.
The Amsterdam-headquartered travel platform said it detected “suspicious activity” involving third parties gaining access to some guest booking information and moved to contain the breach. A company spokesperson said: “Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”
Booking.com said financial data was not accessed from its systems and that physical addresses were not exposed. In an email to affected users, the company said the compromised data could include names, email addresses, phone numbers, booking details and any information shared directly with accommodation providers.
In comments to National Technology News, spokesperson added that the firm advises users to be alert to possible scams: Booking.com will not ask guests to share credit card details by email, over the phone, WhatsApp or text, and will not request a bank transfer that differs from the payment policy in a booking confirmation.
“At Booking.com, we are dedicated to the security and data protection of our guests. We recently noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information.
“Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”
Booking.com declined to disclose how many customers were affected by the breach. The platform, which lists more than 30 million accommodation options globally, connects millions of travellers with hotels, transport and experiences.
The incident adds to a series of security challenges for the company, which has faced increasing levels of online fraud in recent years. Criminals have used phishing tactics on the platform, including requests for payment verification that result in unauthorised charges.
A previous breach in 2018 saw hackers exploit login credentials stolen from hotel employees in the United Arab Emirates, allowing access to the booking data of more than 4,000 users. Dutch regulators later fined the company €475,000 for reporting that incident 22 days after discovering it.
Sky News Australia reported that customers were notified of the latest breach via email on Monday, reiterating that financial information had not been compromised. The broadcaster cited Booking.com’s statement confirming that “unauthorised third parties” may have accessed “certain booking information” tied to prior reservations.
The breach comes at a time when the wider travel sector faces scrutiny over cybersecurity standards and the prevalence of fraudulent listings on booking platforms. Booking.com is owned by Booking Holdings, a US-listed group valued at around $137 billion, which also owns brands including OpenTable, Agoda and Kayak.
