A recent cybersecurity incident involving Booking.com has raised concerns about what customer data may have been exposed and how it could be misused. The company confirmed to the guardian that unauthorised parties gained access to certain booking related information after detecting suspicious activity on its platform.
The compromised data may include personal details such as names, email addresses, phone numbers, and reservation information. In some cases, it could also involve messages exchanged with hotels or accommodation providers. However, Booking.com stated that sensitive financial details like credit card information were thankfully not accessed.
Although the breach did not expose payment data, experts warn that the stolen information could still be used in phishing scams. Attackers may impersonate Booking.com or hotels to trick users into revealing additional personal or financial details. Reports suggest some affected users have already received suspicious messages following the incident.
In response, Booking.com has taken steps to contain the breach, including updating reservation PINs and notifying impacted customers. The company is also advising users to remain cautious, especially when receiving unexpected communications related to bookings.
Advice for users
Customers who use Booking.com should take extra precautions in the coming weeks. Be careful with any emails, texts, or messages that ask for personal or payment information, especially if they create urgency or pressure you to act quickly. Always verify the source by going directly to the official Booking.com website or app rather than clicking on links in messages.
It is also a good idea to review your recent bookings and account activity for anything unusual. Changing your password and using a strong unique password can add another layer of protection. If you reused the same password on other sites, consider updating those as well.
As this is not the first major data breach to hit Booking.com users online appear to be losing faith in the platform and previous data breaches are being brought back into the conversation and whether or not other travel services should be looked into
Timeline of Major Incidents
- 2016: Booking.com suffered a breach initiated by a hacker with links to U.S. intelligence services. The incident was not disclosed to customers at the time.April computing.co.uk
- 2018–2021 (GDPR Fine): Criminals phished hotel staff in the United Arab Emirates to obtain login credentials. This allowed access to the personal data of over 4,000 customers. In April 2021, Dutch regulators fined Booking.com €475,000 for failing to report this breach within the required 72-hour window, having waited 22 days to notify authorities. European data protection board
- 2026: Unauthorised parties accessed customer reservation data, prompting PIN resets and notification emails. The exposed data included names, email addresses, phone numbers, and home addresses. The guardian
This along with the rise of automated “Your reservation is at risk” style phishing scams targeting users of this platform has some users wondering if the convenience of a single site booking platform is simply to good to be true, and are considering moving back to arranging bookings themself.
Finally, on whichever travel agent platform you decide to use, enable two factor authentication if available and avoid sharing sensitive details with hotels or agents through unsecured channels. Staying alert and verifying communications can greatly reduce the risk of falling victim to scams linked to this breach.
Learn more about privacy online from one of our helpful courses
or follow us on linkedin to stay up to date with us
