Booking.com Customers Alerted to ‘Reservation Hijacking’ Scams Following Hack

Travel platform faces new wave of fraudulent activity as hackers exploit stolen data

Booking.com, a leading global travel service, has been linked to a surge in scams known as “reservation hijacks” after a recent data breach. Cybercriminals have accessed customer information, enabling them to launch targeted fraud attempts by impersonating hotels and deceiving users into transferring funds. Several individuals have reported receiving suspicious communications, prompting concerns about the security of personal and financial details.

While the company claims to have reinforced its security measures, including updated PINs for reservations and alerts to affected users, it has not disclosed the exact number of customers impacted or the specific regions involved. Booking.com noted that it has processed nearly seven billion check-ins since 2010, underscoring its vast user base and the potential scale of the threat.

“We recently noticed suspicious activity affecting a number of reservations and took immediate steps to address the issue,” stated Booking.com in an email to customers. The message revealed that attackers gained access to names, contact details, and booking history, though financial data remained untouched.

Experts warn that the stolen information significantly enhances the effectiveness of these scams. Cyber-security firm Norton coined the term “reservation hijacks” to describe schemes where fraudsters mimic hotel representatives to exploit booking discrepancies. According to Luis Corrons, a security evangelist at Norton, the new data allows criminals to craft highly convincing phishing attempts, making the fraud feel legitimate.

Booking.com urged customers to stay cautious, emphasizing that it would never request credit card details via email, phone, or messaging apps. The company also highlighted that any bank transfer should align with the payment policies outlined in booking confirmations. This incident marks a shift in tactics, as scammers no longer need to infiltrate hotel accounts to target users directly.

Historically, reservation hijacks relied on compromised hotel systems to distribute fraudulent messages. However, the latest breach enables cybercriminals to bypass this step, leveraging precise details to deceive travelers. Darren Guccione, CEO of Keeper Security, noted that the rapid transition from data theft to phishing campaigns signals a more coordinated threat to the hospitality sector.

The BBC has previously reported on similar incidents since March 2023, with multiple accounts of financial losses. One customer described feeling “failed” by the platform, highlighting the growing frustration among users. Despite earlier safety upgrades, experts stress that no single solution fully mitigates the risk.

Sign up for our Tech Decoded newsletter to stay informed about the latest in tech and digital trends. Outside the UK? Subscribe here.