Booking.com customers warned of ‘reservation hijacking’ after hack

Booking.com customers warned of ‘reservation hijacking’ after hack

Scammers exploit stolen data to target travelers with deceptive schemes

A recent cybersecurity incident at Booking.com has sparked concerns over a new wave of fraudulent activities known as “reservation hijacks.” Hackers gained access to customer information, which security experts believe could fuel an increase in these scams as perpetrators attempt to extract funds from unsuspecting users.

Several individuals have reached out to the BBC, reporting they’ve begun receiving odd messages. In response, Booking.com has modified reservation codes and dispatched alerts to impacted users, cautioning them about the elevated risk. However, the Dutch-based company has not disclosed the exact number of affected individuals or the regions involved.

With nearly seven billion check-ins recorded since 2010, Booking.com operates as one of the globe’s most prominent travel platforms. Emails shared with the BBC reveal the company’s statement: “We recently identified unusual behavior impacting several reservations and swiftly addressed the issue.” The breach allowed cybercriminals to access personal details such as names, emails, phone numbers, and histories of past and current bookings. Financial data, though, remained secure within the company’s systems.

“Reservation hijack scams have existed for a while, but this fresh data makes them far more potent. Attackers can now craft convincing messages by using real property names, accurate travel dates, and correct contact information to mimic legitimate customer service,” explained Luis Corrons, a security evangelist at Norton.

Scammers have long leveraged Booking.com’s platform to prey on users, as noted in prior instances. Earlier attacks involved compromising hotel accounts to send phishing emails and texts. The BBC has previously covered similar schemes multiple times since March 2023, with numerous accounts of financial losses reported.

Booking.com advises guests to stay cautious of potential phishing attempts. The company clarifies that it will never request credit card details via email, phone, WhatsApp, or text, nor ask for bank transfers that deviate from the payment terms outlined in booking confirmations.

“This ongoing event underscores the escalating risks facing the hospitality sector. When a breach at a platform of Booking.com’s scale shifts from data theft to active phishing campaigns within days, it indicates a more targeted threat than random opportunism,” said Darren Guccione, CEO of Keeper Security.

Despite prior efforts to enhance security, Booking.com acknowledges there is no single solution to prevent such attacks. The latest breach enables fraudsters to contact customers directly with tailored details, bypassing the need to infiltrate hotel admin accounts. This shift in tactics highlights the evolving nature of cyber threats in the travel industry.

Sign up for our Tech Decoded newsletter to stay updated on global tech developments and trends. Outside the UK? Sign up here.