Booking has confirmed the theft of personal information of some clients after detecting a cyberattack that would have allowed unauthorized third parties to access data linked to reservations. The company maintains that, for the moment, no access to financial information has been registered from Booking.com's systems.
The company has explained that it detected suspicious activity related to a possible undue access to certain reservation information from some of its users. The exact scope of the incident has not been detailed, although it has been confirmed that it affects personal data of some customers.
"Recently we detected suspicious activity that implied that unauthorized third parties could access certain booking information of some customers" - Booking
The risk is concentrated in the fraudulent use of reservation data
Beyond a possible theft of banking data, cybersecurity specialists warn that this type of breaches can facilitate highly targeted frauds. The information associated with a reservation allows to build communications that appear to be authentic and that can arrive through various channels.
"The true risk lies in the details of the reservations. That information allows attackers to create very convincing messages, whether through WhatsApp, email, or a phone call that seems totally legitimate. What makes this even more dangerous is how common these types of interactions already are" - Gonzalo Gabriel y Galán, Integrity360
That scenario opens the door to especially credible social engineering campaigns, in which the user can receive a message related to a stay, a modification of the reservation or a supposed incident with the accommodation and end up providing more personal data.
A chain of incidents in the hotel sector
The attack on Booking occurs in a context of recent incidents in the tourism and hotel industry. In 2025, the Otelier platform suffered the leak of more than 437,000 guest records, with customer data from Marriott, Hilton and Hyatt.
A year earlier, in 2024, a cyberattack against Omni Hotels & Resorts affected its online reservations, payment processing, and digital key systems. And in 2023, MGM Resorts suffered a social engineering attack that caused losses exceeding 100 million dollars.
"It made the hasty decision to close each and every one of the Okta Sync servers after learning that we had been stalking and tracking passwords" - MGM Resorts Attackers
The succession of cases reflects the growing pressure on booking platforms and hotel chains, where operational data and customer information have become a priority target for cybercriminals. In Booking's case, the company maintains that the investigation remains open to clarify the scope of unauthorized access and the volume of affected users.