Travel companies often assure customers that their data is secure, but Booking.com has recently demonstrated the challenges of keeping that promise. On April 13, the Amsterdam-based booking platform began notifying customers that “unauthorized third parties” had accessed sensitive guest reservation data. This breach included crucial information such as booking details, names, email addresses, physical addresses, and phone numbers—everything scammers need to impersonate hotels and target guests.
Investigations indicate that the data was accessed through compromises of Booking.com’s hotel partners rather than the platform itself. A recent Microsoft report attributed the breach to a phishing technique known as ClickFix, where hotel employees are tricked into installing malware disguised as a computer “fix.” The criminal group behind this, identified as Storm-1865, has been caught executing similar campaigns against hotel workers across North America, Oceania, South and Southeast Asia, and Europe, using malicious software like XWorm and VenomRAT.
In its notification, Booking.com warned customers that the exposed data could facilitate phishing attacks and emphasized that it would never request sensitive information or bank transfers through unsolicited messages. However, scammers have a well-established method for exploiting stolen booking data. They can impersonate hotels, contact guests to demand additional payments, or ask for credit card details under the guise of “payment verification.”
The risks are evident, with the UK’s Action Fraud reporting 532 incidents of Booking.com scams between June 2023 and September 2024, resulting in losses of approximately £370,000 (around $470,000). This is not the first time such breaches have occurred; in 2018, criminals successfully phished hotel employees and stole data from Booking.com customers. That same year, a voice phishing campaign targeting hotels in the UAE resulted in over 4,000 stolen customer records, including credit card information from 300 individuals.
The travel industry has faced a recurring problem with data breaches. In January 2026, Eurail disclosed a breach that exposed passport numbers and health data. Other companies, including KLM and Air France, have also reported similar incidents. The Cl0p gang exploited vulnerabilities in Cleo file transfer software, stealing sensitive data from rental car companies like Hertz and Dollar.
A notable aspect of these breaches is that they typically involve third-party compromises rather than direct attacks on the travel companies themselves. The travel industry manages vast amounts of sensitive data, including passport numbers and payment details. However, its complex supply chains and reliance on various third-party platforms make it a vulnerable target for cybercriminals.
As for the number of affected customers, Booking.com has not disclosed this information, raising concerns for a platform with over 100 million active mobile app users and 500 million monthly website visits. For customers who have recently used Booking.com, it’s essential to remain vigilant.
Avoid trusting messages that ask you to “verify” payment details, even if they appear to come from Booking.com. The company advises that if there’s no pre-payment policy but you’re asked to pay in advance, it’s likely a scam. Always check your booking confirmation emails for accuracy and contact the property directly if anything seems suspicious. Additionally, monitor your bank statements regularly, as scammers may not act immediately after obtaining your data.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
