🗄️ Assets

Booking.com Breach Exposes Reservation Data — Phishing Wave Follows

Booking.com has disclosed unauthorised access to customer reservation data including names, contact details, and booking information. No payment data was taken, but the exposed reservation details create a high-quality dataset for targeted travel-themed phishing campaigns. Reservation PINs have been reset across affected bookings.

3 min read
#breach#booking-com#phishing#travel#data-exposure#gdpr#personal-data

Booking.com has notified customers that attackers gained unauthorised access to systems holding reservation data, exposing names, email and postal addresses, phone numbers, and booking details. The Amsterdam-based travel platform began emailing affected users on Sunday evening, framing the incident as “suspicious activity” linked to certain bookings before confirming the breach publicly.

What Was Accessed

The compromised data includes booking details and associated personally identifiable information: names, email addresses, home addresses, phone numbers, and reservation specifics such as hotel names, dates, and locations. Booking.com has stated that payment card data was not accessed and that the problem is now “under control.”

The company reset reservation PINs on all affected bookings as a precautionary measure and has not publicly disclosed how many customers are affected or how the attackers gained access.

Why the Data Exposure Is More Dangerous Than It Appears

While the absence of financial data is positive, travel reservation data is particularly valuable for targeted phishing attacks. A threat actor who knows precisely where someone is staying, when they are travelling, and how to reach them by email and phone has everything needed to construct a highly credible fraud scenario.

The attack pattern is well established: after a reservation data breach, victims receive convincing messages appearing to come from the hotel or Booking.com, requesting card details to “confirm the booking” or offering to process a “refund.” The specificity of the message — correct hotel name, correct dates — dramatically increases the likelihood that a recipient will engage.

Booking.com itself has previously warned customers about this class of attack after third-party hotel partners were compromised via phishing campaigns that extracted Booking.com partner credentials. This incident represents a more direct exposure through Booking.com’s own infrastructure.

Regulatory Context

Booking.com is headquartered in the Netherlands and subject to GDPR. Data protection authorities must be notified within 72 hours of a breach where individuals’ rights and freedoms are at risk — a threshold this breach clearly meets given the combination of contact data and location information. Booking.com has not publicly disclosed whether it has made the required notification to the Dutch Data Protection Authority.

  1. If you have upcoming Booking.com reservations, treat any communication requesting payment confirmation or card details with extreme suspicion — particularly in the next 30 days. Verify all requests by logging into your Booking.com account directly, never via a link in an email.
  2. Do not trust caller ID or email display names for any travel-related communications. The data exposed is sufficient to construct convincing impersonation attempts.
  3. Change your Booking.com account password if you reuse it elsewhere. Whilst passwords were reportedly not taken, good hygiene applies following any breach.
  4. Report suspicious follow-up messages to Booking.com’s fraud team and to your national consumer protection body. Building a picture of the phishing wave that follows this breach helps law enforcement and the platform alike.
  5. Security teams managing corporate travel accounts should alert employees who travel for work and review whether corporate cards are linked to Booking.com accounts that may have been exposed.

Share this article