Booking.com data breach: Customer reservation data exposed
“Unauthorized third parties may have been able to access certain booking information associated with your reservation,” email alerts sent out by Booking.com over the weekend warn.
The online travel agency did not say which system(s) were accessed by the unauthorized third parties nor explained the scope of the incident.
They only said that they “recently noticed suspicious activity affecting a number of reservations” and that their investigation revealed that the attackers may have accessed name(s), emails, addresses, and phone numbers associated with the booking, as well as specific information that customers may have shared with the accommodation via the Booking.com platform.
According to information received by The Guardian, financial information was not accessed.
The “issue” has been contained, the company stated, and affected users are getting notified: “To keep your booking secure, we have updated the PIN number of your booking reservation.”
Beware of phishing and scams
Booking.com customers have shared on Reddit that they’ve received multiple alert emails, for current reservations and past bookings.
Some have complained about scam attempts via WhatsApp, which leveraged personal details, booking references, dates and the name of the hotel. Whether these scam attempts are directly linked to the breach remains unclear.
“Given that Booking.com is the largest and most widely used travel agency site in the world, this could turn out to be a sizable attack,” noted Keven Knight, CEO of Talion, a UK-based managed security services provider.
“Currently it looks like attackers accessed personal details and previous bookings, but no financial information was compromised. This is somewhat comforting, but victims should be aware that (…) stealing financial information isn’t the only way attackers can monetise on a breach. Victims are still at risk of phishing, and these communications could be highly tailored given the attackers know about the previous holiday bookings.”
Dubai-based cybersecurity company Hackmanac says that the Vect hacking group apparently claimed breaches at Booking.com and AirBnB, but their claims remain unconfirmed.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!