Booking.com Discloses New Data Breach, Second Major Incident in Six Years

TL;DR: Booking.com disclosed a new data breach exposing customer reservation data, the company's second major incident in six years.

Context: The Amsterdam-based travel platform reset reservation PINs and notified customers after discovering unauthorized access to booking information. The company, which connects millions of travelers with over 30 million accommodation venues worldwide, said it "noticed some suspicious activity involving unauthorised third parties being able to access some of our guests' booking information." Upon discovering the activity, Booking.com took action to contain the issue.

Key Facts: The breach marks Booking.com's second major security incident in six years. In 2018, criminals used phishing tactics to steal login credentials from hotel employees in the United Arab Emirates, gaining access to the booking data of more than 4,000 people. The company reported that breach to Dutch regulators 22 days late, resulting in a €475,000 fine.

In the current incident, accessed information could include booking details, names, emails, addresses, and phone numbers associated with reservations. Financial information was not accessed, according to a company spokesperson. Booking.com declined to specify how many customers were affected.

The company emailed affected customers warning that hackers may have accessed "certain booking information" associated with previous reservations. The platform has recently struggled with rising online scams, including fraudsters requesting payment details to pre-authorize or verify trips before charging high amounts.

What It Means: The repeat incident underscores persistent security challenges in the online travel sector, where platforms maintain vast amounts of sensitive customer data and rely on third-party hotel partners whose security postures vary. Organizations handling reservation data should enforce multi-factor authentication across all administrative accounts, implement rigorous vendor security assessments for hotel partners, and maintain incident response plans that prioritize regulatory notification timelines to avoid similar penalties.

What Defenders Should Do: - Review authentication mechanisms for partner hotel access to reservation systems - Implement detection rules for anomalous booking data access patterns - Audit third-party vendor security policies and access controls - Ensure incident response plans meet GDPR notification timelines (72 hours) - Train hotel partners on phishing recognition and credential security