Hackers Access Booking.com User Data Including Names, Emails, Phone Numbers and Booking Details; Incident Contained
What Happened — Hackers accessed a subset of Booking.com customer records containing personal identifiers and reservation information. Booking.com detected the activity, contained the breach, and reset reservation PINs.
Why It Matters for TPRM —
- Personal data of travelers can be leveraged for credential‑stuffing and targeted phishing campaigns against your employees or customers.
- A breach at a major OTA signals potential weaknesses in third‑party data handling that may affect downstream partners (hotels, payment processors, travel‑service integrators).
- Lack of disclosed technical details hampers risk assessment of the vendor’s security posture.
Who Is Affected — Travel & hospitality industry, online travel agencies, and any organization that relies on Booking.com for reservations (e.g., corporate travel programs, hotel chains).
Recommended Actions —
- Review your contract and data‑processing clauses with Booking.com; ensure breach‑notification obligations are met.
- Verify that any shared APIs or data feeds have been hardened and that credential rotation policies are enforced.
- Advise users to monitor for phishing attempts that reference real reservation details.
Technical Notes — The attack vector was not disclosed; no payment data was reported as compromised. Exfiltrated data includes names, email addresses, phone numbers, and reservation details. Source: SecurityAffairs