Booking.com has confirmed a data breach after “unauthorised parties” gained access to customer booking information.
The company says it identified suspicious activity involving reservations and moved quickly to contain the issue. Affected customers have been contacted, and reservation PINs have been updated. But while financial information was not accessed, the type of data exposed still raises real concerns, particularly because of how it can be used.
What information may have been accessed
According to Booking.com, the breach may involve details linked to past or current reservations.
This can include:
- Names
- Email addresses
- Phone numbers
- Addresses
- Booking details (such as dates and accommodation)
- Messages or information shared with the property.
On its own, this might not seem as sensitive as payment data. But in practice, it can be enough to enable highly targeted scams.
Why this breach is different
The platform has previously been linked to phishing attacks where hotel accounts were compromised, allowing scammers to contact customers directly. More broadly, travel platforms have become a common target because of the volume of personal data they hold.
What makes this latest incident more concerning is not just the data itself, it’s how quickly it can be turned into convincing fraud.
Security experts are already warning about so-called “reservation hijack” scams.
These involve criminals contacting travellers while pretending to be the hotel or booking platform, using real details to make the message appear legitimate.
Because the information matches a genuine booking, it can feel like a routine request. For example:
- Asking you to “verify” your payment details
- Requesting a deposit before arrival
- Claiming there’s an issue with your reservation.
The timing is key. Messages often arrive just before a trip, when people are more likely to act quickly without double-checking.
What you should do if you’ve used Booking.com
Even if you haven’t been contacted directly, it’s sensible to assume your data could be at risk and take a few simple precautions.
Be cautious with messages about your booking
If you receive an email, text or WhatsApp message about a reservation, don’t click links or use contact details provided in the message. Go directly to the Booking.com app or website and check your booking there.
Never share payment details outside official channels
Booking.com has confirmed it will not ask for payment details via email, phone, text or messaging apps. Any request to transfer money or provide card details outside the platform should be treated as suspicious.
Strengthen your account security
To protect your account:
- Change your Booking.com password
- Use a strong, unique password
- Enable two-factor authentication where possible
Keep an eye on your accounts
Monitor your bank and card statements for any unusual activity, particularly in the lead-up to a trip.
Key takeaway
When personal data is exposed, it can be used to create highly believable scams that exploit trust and urgency. And in sectors like travel, where timing and communication matter, that risk is amplified.
For users of Booking.com, the takeaway is simple. Even when a message looks genuine — and even when it includes accurate details — it still needs to be verified.
Join the Claim connects consumers with SRA-regulated lawyers. Keep an eye out for updates on any potential claim and possible eligibility checks/registration opportunities.
