Agoda Denies Data Breach as Cybercriminals Claim Theft of 82 Million Records
Asia-based travel booking platform Agoda has refuted claims of a data breach after cybercriminals alleged the theft of 82 million user records. An Agoda spokesperson stated that internal investigations confirmed the leaked data did not originate from its systems.
Researchers at Cybernews analyzed a sample of 23 records provided by the attackers, which included sensitive details such as full names, identity card numbers, phone numbers, email addresses, and hotel addresses primarily linked to Malaysian users. Notably, the sample lacked reservation dates, an unusual omission that raised questions about the data’s origin. Despite this, the researchers verified the legitimacy of the exposed information.
The incident follows a recent confirmation by Agoda’s parent company, Booking Holdings, of a separate breach affecting Booking.com users. That attack exposed names, phone numbers, email addresses, and reservation details, leading to a surge in reservation hijacking scams across North America, Europe, and the UK. The timing of the two incidents has heightened concerns about cybersecurity risks in the travel industry.
Source: https://www.scworld.com/brief/agoda-refutes-claims-of-massive-data-breach
Agoda cybersecurity rating report: https://www.rankiteo.com/company/agoda
Booking Holdings (NASDAQ: BKNG) cybersecurity rating report: https://www.rankiteo.com/company/bookingholdings
"id": "AGOBOO1776904233",
"linkid": "agoda, bookingholdings",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '82 million (alleged)',
'industry': 'Travel and Hospitality',
'location': 'Asia',
'name': 'Agoda',
'type': 'Travel Booking Platform'}],
'data_breach': {'data_exfiltration': 'Claimed by cybercriminals',
'number_of_records_exposed': '82 million (alleged)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': ['Full names',
'Identity card numbers',
'Phone numbers',
'Email addresses',
'Hotel addresses']},
'description': 'Asia-based travel booking platform Agoda has refuted claims '
'of a data breach after cybercriminals alleged the theft of 82 '
'million user records. Researchers at Cybernews analyzed a '
'sample of 23 records provided by the attackers, which '
'included sensitive details such as full names, identity card '
'numbers, phone numbers, email addresses, and hotel addresses '
'primarily linked to Malaysian users. The sample lacked '
'reservation dates, raising questions about the data’s origin. '
'The incident follows a recent breach affecting Booking.com '
'users, leading to a surge in reservation hijacking scams.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'breach claims',
'data_compromised': '82 million records allegedly stolen',
'identity_theft_risk': 'High (exposure of full names, identity '
'card numbers, phone numbers, email '
'addresses)'},
'investigation_status': 'Ongoing (internal investigation conducted)',
'references': [{'source': 'Cybernews'}],
'response': {'communication_strategy': 'Public denial of breach; internal '
'investigation conducted'},
'threat_actor': 'Cybercriminals',
'title': 'Agoda Denies Data Breach as Cybercriminals Claim Theft of 82 '
'Million Records',
'type': 'Data Breach'}