Booking.com, the famous online travel agency for booking hotels and accommodation, has confirmed unauthorized access to its systems in recent hours. The attack would have exposed some of the users’ personal information. Data (names, email addresses, telephone numbers), the stolen ones, which could be used by cyber criminals to make phishing attempts and other online scams credible. At the moment, the financial data of the individuals involved do not appear to have been stolen. The company responded to the attack by updating the security PIN codes associated with bookings and promptly notifying the incident, but the precise number of people affected and the identity of the attackers remain unknown.
What happened with the hacker attack on Booking: the stolen data and the security measures
According to the communications sent to users, the attackers would have had access to a set of information related to the reservations: names, email addresses, telephone numbers and details of the stay, including booking dates and information on the booked properties. In some cases, this may also include information shared directly with the accommodation facilities, i.e. messages or special requests that have been delivered via the platform.
Courtney Camp, a spokeswoman for Booking.com, told TechCrunch that the company «noticed some suspicious activity involving unauthorized third parties able to access some of our guests’ booking information». After discovering what happened, the company took containment measures. These include resetting PIN codes associated with bookings, a measure to prevent unauthorized changes to accounts or travel details. At the moment, no details have been provided on how many users were affected by the incident, an element that makes it difficult to assess the true extent of the incident.
The possible risks deriving from the data breach
Data stolen from the platform could be used by cybercriminals to perpetrate future targeted attacks. Some users have actually already reported receiving suspicious messages on WhatsApp containing accurate information about their bookings. This type of attack is part of the so-called phishing, a social engineering technique in which the attacker pretends to be a trustworthy person to obtain sensitive data or money. When phishing uses real information – such as exact dates of a stay and a reference to the hotel where you actually have a pending reservation – it becomes much more difficult to recognize. In fact, in these cases, we talk about spear phishing, i.e. targeted phishing, tailor-made for a specific victim.
It is not an isolated phenomenon. In recent years the platform has been the target of several fraudulent campaigns, often based on indirect access to systems, for example through the credentials of compromised accommodation facilities.
What to do if a booking has been made with the online platform
If you have made a reservation on Booking and have not received a communication from the platform regarding possible data breaches, in theory you should have no reason to worry. In any case, whether you have received the communication in question or not, if you have recently made a Booking reservation you would do well to pay maximum attention to possible communications on WhatsApp or other similar contact methods. In this case, you should be careful of people who pretend to be Booking or the accommodation facility you have booked and who make strange requests, despite making explicit and precise references to a recent booking of yours.
For example, if requests are made to you to provide sensitive data (such as your credit card details), perhaps with the excuse that the payment was not successful and that your Booking reservation is at risk, do not respond to these requests. So, don’t provide any personal data, don’t click on any links and, obviously, don’t make any payments. If you have any doubts regarding the reliability of a certain communication received via Whatsapp, via SMS or on your e-mail, contact the accommodation facility by telephone and/or contact Booking customer care to receive clarification. When doing this, obviously, refer to the contact details you find on the property’s website or on the Booking contact page.
