Booking.com Discloses Data Exposure and Ongoing Phishing Campaign

Context Booking.com alerted customers after detecting suspicious activity on several reservations. The company sent an email stating that third parties may have viewed booking details, names, email addresses, phone numbers and any information shared with the accommodation. Financial data, such as credit‑card numbers, was not compromised.

Key Facts - The breach exposed personal and travel information linked to past or upcoming bookings. Booking.com responded by resetting reservation PINs and locking inactive accounts. - In 2024 the platform blocked more than three million fraudulent accounts, illustrating the scale of automated abuse attempts. - Microsoft’s Threat Intelligence team identified a phishing operation, labelled Storm‑1865, that impersonates Booking.com. The campaign began in December 2024 and was still active in February 2025, targeting hospitality organisations with emails that mimic legitimate requests, negative reviews or promotional offers. - The phishing emails often contain malicious links; Microsoft advises checking the full URL and verifying the sender’s address before clicking. - Booking.com’s security chief, Marnie Wilking, emphasised tighter messaging safeguards, including allow‑list enforcement and custom machine‑learning models that delete malicious links.

What It Means Exposed reservation data gives scammers a rich set of personal details to craft convincing social‑engineering attacks. Even without payment information, criminals can use names, travel dates and contact details to send fraudulent emails, texts or calls that appear to come from Booking.com or the booked hotel. Recipients should treat any unsolicited request for credit‑card details, bank transfers or personal information as suspicious; Booking.com will never ask for such data via email, phone, text or WhatsApp.

Mitigations – What Defenders Should Do 1. Deploy email‑gateway filters that flag known phishing indicators tied to Storm‑1865 (e.g., subject lines referencing guest reviews or account verification). 2. Enforce DMARC, DKIM and SPF records for corporate domains to reduce spoofed Booking.com messages reaching inboxes. 3. Apply the latest security patches to web‑application firewalls and ensure any third‑party components used by reservation systems are updated to address CVE‑2024‑XXXXX (hypothetical example). 4. Monitor for anomalous login attempts on booking platforms; lock accounts after a defined number of failed attempts and require multi‑factor authentication for privileged access. 5. Educate staff and partners on verifying sender addresses, hovering over links to view full URLs, and reporting suspicious communications to the security team.

Looking Ahead Watch for updates from Booking.com on additional safeguards and for Microsoft’s next threat‑intel brief on the evolution of the Storm‑1865 phishing infrastructure.