Overview
- Booking.com confirmed unauthorized access to some booking records that included names, contact details, and stay information, and the company reset PINs for affected reservations while saying no payment data in its systems was taken.
- Criminals are using hotel and platform messaging, as well as WhatsApp, to pose as properties and push guests to reconfirm payment or share card details, in what security firm Norton calls reservation hijacks.
- The company warns it will never ask for card details over email, phone, WhatsApp, or text, and it will not request off-platform bank transfers, urging users to verify messages through the Booking.com app or by calling the hotel using a verified number.
- The scope of the breach remains undisclosed, with customers in several countries reporting targeted phishing tied to their exact reservations and some reporting large unauthorized charges after receiving scam messages.
- Security experts say reservation specifics make phishing far more believable, and CBC notes Booking.com was fined by Dutch regulators in 2018 for late breach reporting, underscoring ongoing risks for travel platforms and their users.