Global travel and hotel reservation giant Booking.com confirmed on Monday that hackers breached its systems and gained access to customers’ personal data. Booking.com did not disclose the exact number of people affected by the attack, which regions were affected, or even the timeframe during which the breach occurred. The company did confirm to The Guardian that “financial information was not accessed”.
What information was stolen?
According to customer notifications shared by users on social media platforms like Reddit, Booking.com says that “unauthorised third parties may have been able to access certain booking information associated with your reservation.”
“We recently noticed suspicious activity affecting a number of reservations and we immediately took action to contain the issue,” the company said in a notification message shared on Reddit.
The company noted that the hackers may have gained access to users’ names, email addresses, phone numbers, and specific booking details. Disturbingly, the hackers were also able to view “anything that you may have shared with the accommodation,” the company warned in the notification.
“To keep your booking secure, we have updated the PIN number of your booking reservation,” the notification read.
As per a TechCrunch report, the user who posted the notification screenshot said that they received a targeted phishing message via WhatsApp two weeks ago that accurately included their personal information and booking details. This suggests that the hackers may already be using the stolen data against travellers.
Booking.com spokesperson Courtney Camp told TechCrunch that the company noticed “suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information”.
“Upon discovering the activity, we took action to contain the issue,” the spokesperson said, adding that the company has updated the PIN numbers for the affected reservations and directly informed guests.
Booking.com had earlier suffered a phishing attack in 2018 that compromised the booking data of over 4,000 customers by stealing login credentials from hotel employees in the UAE. The platform was later fined €475,000 by the Dutch Data Protection Authority for reporting the breach 22 days late, far exceeding the 72-hour legal limit.
How to stay safe?
If you were affected by the attack, there should be an official confirmation from Booking.com in your mailbox. Meanwhile, if you have made a recent booking on the platform, be extremely wary of urgent payment requests from hoteliers and prefer to only make the payment via the official portals.
If you do get a suspicious email or message asking for payment, report it immediately to Booking.com’s customer service.
