Booking.com customers warned of 'reservation hijacking' after hack

A data breach at travel giant Booking.com is leading to a fresh wave of scams recently dubbed "reservation hijacks".

Hackers stole customer data that experts say could lead to a surge in the scams as customers are tricked into sending criminals money.

Some customers have contacted the BBC to say they have already started receiving suspicious messages.

Booking.com says it has updated Pins for reservations and is sending out emails to affected customers warning them of the heightened risk.

But the Dutch company is refusing to say how many people have been affected and in which regions.

The platform says it has seen almost seven billion check-ins since 2010, making it one of the largest travel services in the world.

In emails to customers seen by the BBC, the company said: "We recently noticed suspicious activity affected a number of reservations and we immediately took action to contain the issue."

It goes on to say that criminals were able to access names, email addresses, phone numbers and details about past and present bookings.

It said customers' financial information was not accessed from its systems.

Experts warn this kind of data will be extremely valuable to fraudsters who are now racing to trick unwitting customers.

Cyber-security firm Norton has dubbed the scams "reservation hijacks" because criminals have contacted Booking.com customers pretending to be hotels in order to trick victims into sending them money based on bogus reservation problems.

"Reservation hijack scams have been around for some time, but this new data makes them much more dangerous because it gives criminals precision as they can reference the real property, the real travel dates, the right contact details to make the scam feel like routine customer service," said Luis Corrons, security evangelist at Norton.

Booking.com told the BBC guests should remain vigilant to potential phishing attacks.

"Booking.com will never ask guests to share credit card details by email, over the phone, Whatsapp or text, or ask guests to make a bank transfer that is different from the payment policy details in their booking confirmation," it added.

A common target

Perhaps because of its size, scammers have long abused the Booking.com platform to target customers.

Previous waves of reservation hijacks have seen hotels hacked in order to get access to the hotel's Booking.com account and send out phishing emails and text messages.

The BBC has reported on these types of scams multiple times since March 2023.

Dozens of people have contacted the BBC in recent years to say they have lost money, with one customer saying she had been "failed" by the travel firm.

Booking.com previously said it was implementing new safety features but there was "no silver bullet".

The latest hack means that fraudsters don't need to breach hotel's Booking.com administration portals - they can reach out directly to customers with convincing details to carry out their attacks.

Darren Guccione, chief executive of Keeper Security says the ongoing incident highlights the growing threat to the hospitality industry.

"When a breach at a platform the scale of Booking.com moves from data exfiltration to active phishing campaigns within days, it signals something more deliberate than opportunistic," he said.

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.