Booking.com has acknowledged a security breach that has resulted in the theft of information linked to bookings made through the platform. Among the stolen data are names, addresses, phone numbers, email addresses, and other data that users may have shared with the accommodations.
The company has specified that the bank details have not been extracted. It has also updated the PIN numbers of those reservations that could have been affected by the incident, in an attempt to limit additional risks for customers.
Notice for possible impersonation attempts
After detecting the intrusion, the platform has warned of possible scams through phone calls, emails, and text messages. The risk, according to the company, is that third parties try to impersonate accommodations or the company itself to obtain more information from users or induce them to make a fraudulent payment.
Booking has not detailed either how many users could be affected nor the exact date on which the attack occurred. It has communicated the incident to the data protection regulatory body of the Netherlands.
Background and control over data protection
The case comes after several actions in matters of privacy and fraud related to tourist bookings. In 2024, the Spanish Data Protection Agency sanctioned several hotels for acting as intermediaries in scams aimed at stealing data from Booking customers.
Furthermore, an investigation by the same body concluded that the platform incurred in failures in data protection and that it did not notify the incident neither to the victim nor to the regulators in that analyzed case.
What to do if there are indications of fraud
The National Cybersecurity Institute reminds that, in the event of a possible digital scam or fraud, the appropriate course of action is to file a complaint with the security forces and bodies. It also keeps its assistance channels active for individuals and companies.
- The free 017 cybersecurity helpline
- WhatsApp support channels
The main recommendation is to exercise extreme caution if a communication linked to a reservation is received, especially when personal data, passwords, or payments are requested outside of the usual channels. Checking the sender, not opening dubious links, and confirming any incident directly with the accommodation or with the official application are basic steps while the real extent of the breach is clarified.