Travel companies love telling you your data is safe. Booking.com just reminded everyone why that’s a hard promise to keep.
The Amsterdam-based booking giant began notifying customers on April 13 that “unauthorized third parties” had accessed guest reservation data. The compromised information includes booking details, names, email addresses, physical addresses, and phone numbers—essentially everything you’d need to convincingly impersonate a hotel contacting a guest.
The criminals appear to have accessed the data by compromising Booking.com’s hotel partners. A Microsoft report blames the ClickFix phishing technique, which gets victims (in this case, hotel employees) to install malware disguised a computer “fix.”
Microsoft blames a criminal group called Storm-1865 for the caper, and caught it running exactly this kind of campaign against hotel workers across across North America, Oceania, South and Southeast Asia, and Europe, deploying nasty malware like XWorm and VenomRAT through fake CAPTCHA pages.
Booking.com’s customer notification warned that the exposed data could be used for phishing and said it would never ask for sensitive information or bank transfers.
But scammers have a proven playbook for turning stolen booking data into cash. They can hijack a reservation by impersonating a hotel, message guests demanding a further payment, or credit card details for “payment verification.” The stolen data gives them everything they need to convince the hotel customer they’re legit.
The UK’s Action Fraud received 532 reports of Booking.com scams like this between June 2023 and September 2024, with victims losing £370,000 (around $470,000).
This has happened to Booking.com partners and customers before. In 2018, criminals phished hotel employees and accessed data belonging to Booking.com customers. Scammers also conducted a voice phishing campaign later that year that targeted 40 hotels in the UAE. Over 4,000 customers’ data was stolen, including credit card data from 300 people. Booking.com was late reporting the breach to the Dutch privacy regulator, which imposed a €475,000 fine (around $560,000) in 2021.
The travel industry’s recurring breach problem
Breaches like these are a pattern in the travel business. In January 2026, Eurail disclosed a breach that spilled passport numbers, addresses, and, for some travelers, photocopies of IDs and health data. KLM and Air France had customer data swiped in August 2025. Hertz, Dollar, and Thrifty were all caught in the Cl0p gang’s exploitation of Cleo file transfer software, with criminals pilfering drivers’ licenses and credit card data.
What’s interesting about all of these incidents is that like the Booking.com data heist, all involve compromise of third parties rather than the travel operations themselves. The travel industry sits on enormous troves of passport numbers, payment cards, and itineraries. And its security posture of sprawling supply chains, franchised operations, and third-party platforms makes it a soft target.
What you can do
How many customers were affected? Booking.com isn’t saying. For a platform with over 100 million active mobile app users and 500 million monthly website visits, that silence is concerning.
If you’ve used Booking.com recently, here’s the practical guide to protection. Don’t trust messages asking you to “verify” payment details, even if they arrive through the platform itself.
Here is Booking.com’s own advice about these scams, issued before this latest incident:
“If there is no pre-payment policy or deposit requirement outlined, but you’re asked to pay in advance to secure your booking, it is likely a scam.”
Check your booking confirmation email for what you actually owe and when. If anything seems off, contact the property directly, rather than through a link someone sends you. And watch your bank statements. The scammers who exploit this kind of data don’t always strike immediately.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
