Booking.com Customers Warned of Potential Data Breach Amid Rising Scams
Booking.com has alerted customers that unauthorized third parties may have accessed their personal information, raising concerns over the security of traveler data. The company, which manages over 28 million global accommodation listings, detected suspicious activity affecting multiple reservations and took immediate action to contain the breach.
Affected users were notified via email that exposed data could include booking details, names, email addresses, phone numbers, and any information shared with properties. While the company reset reservation PINs as a security measure, it remains unclear how many customers were impacted or whether credit card details were compromised.
The incident follows a surge in scams targeting Booking.com users, with criminals impersonating company representatives to extract payment details. One victim, Steve Atkin from New South Wales, reported losing $100 after receiving a fraudulent call from someone posing as a Booking.com agent. Despite not sharing his credit card details, funds were deducted from his account, later refunded after a two-month dispute.
Booking.com, owned by Dutch parent company Booking Holdings (which also operates Agoda, Kayak, and Priceline), generated over $38 billion in revenue last year. In Australia, it dominates the online travel market, accounting for more than 30% of bookings. However, complaints have mounted, with 842 formal grievances lodged with state consumer bodies in the past two years though the actual number is likely higher due to reporting gaps in some regions.
The National Anti-Scam Centre reported that phishing scams cost Australians over $31 million last year, with older adults disproportionately affected. Booking.com has reiterated that it will never request credit card details via phone, text, or messaging apps, nor demand bank transfers outside its official payment policies. The company continues to enhance its security measures in response to the breach and ongoing fraud risks.
Source: https://www.abc.net.au/news/2026-04-13/booking-com-data-security-breach-personal-details/106557630
Booking.com cybersecurity rating report: https://www.rankiteo.com/company/booking.com
"id": "BOO1776061928",
"linkid": "booking.com",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple (exact number unclear)',
'industry': 'Travel and hospitality',
'location': 'Global (headquartered in the Netherlands)',
'name': 'Booking.com',
'size': 'Over 28 million global accommodation '
'listings, $38 billion in revenue (2023)',
'type': 'Online travel agency'}],
'attack_vector': 'Unauthorized third-party access',
'customer_advisories': 'Affected users notified via email; advised to be '
'cautious of phishing scams and verify communication '
'channels.',
'data_breach': {'personally_identifiable_information': 'Names, email '
'addresses, phone '
'numbers, booking '
'details',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': 'Personal information (booking '
'details, names, email addresses, '
'phone numbers)'},
'description': 'Booking.com has alerted customers that unauthorized third '
'parties may have accessed their personal information, raising '
'concerns over the security of traveler data. The company '
'detected suspicious activity affecting multiple reservations '
'and took immediate action to contain the breach. Affected '
'users were notified via email that exposed data could include '
'booking details, names, email addresses, phone numbers, and '
'any information shared with properties. The incident follows '
'a surge in scams targeting Booking.com users, with criminals '
'impersonating company representatives to extract payment '
'details.',
'impact': {'brand_reputation_impact': 'Mounting complaints and fraud risks',
'customer_complaints': '842 formal grievances lodged with state '
'consumer bodies in the past two years',
'data_compromised': 'Booking details, names, email addresses, '
'phone numbers, and information shared with '
'properties',
'identity_theft_risk': 'High (personal information exposed)',
'payment_information_risk': 'Potential (unclear if credit card '
'details were compromised)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (scams, phishing)',
'post_incident_analysis': {'corrective_actions': 'Enhanced security measures '
'in response to the breach '
'and ongoing fraud risks'},
'recommendations': 'Enhanced security measures, customer education on '
'phishing scams, and adherence to official payment '
'policies',
'references': [{'source': 'Booking.com customer advisory'},
{'source': 'National Anti-Scam Centre (Australia)'}],
'response': {'communication_strategy': 'Email notifications to affected users',
'containment_measures': 'Reset reservation PINs',
'enhanced_monitoring': 'Yes (ongoing security enhancements)',
'incident_response_plan_activated': 'Yes (containment measures '
'taken)'},
'stakeholder_advisories': 'Booking.com reiterated that it will never request '
'credit card details via phone, text, or messaging '
'apps, nor demand bank transfers outside its '
'official payment policies.',
'threat_actor': 'Criminals impersonating Booking.com representatives',
'title': 'Booking.com Customers Warned of Potential Data Breach Amid Rising '
'Scams',
'type': 'Data Breach'}