Booking.com Hack Exposes Sophistication of Cyber Crime

A series of scams targeting Booking.com customers have exposed the magnitude of the recent data breach at the travel agent giant. 

According to an initial investigation, hackers appeared to gain access to customer data, including names, email addresses, phone numbers and details about present and past booking history. 

Experts on the matter note that such information carries a high risk of exploitation by fraudulent actors to trick customers. 

Dubbed “reservation hijacks” by cybersecurity firm Norton, criminals are contacting Booking.com customers on behalf of hotels to trick them into sending money related to fake reservation issues. 

Numerous customers have reported receiving suspicious messages, prompting Booking.com to update pins for reservations. It is also sending out emails to affected customers, informing them of the recent heightened risk. 

However, the travel marketplace has refused to disclose the number of people affected or the regions the breach spans across. 

The scale of the breach

While customers’ financial information was not exposed, the extent of the breach appears to be considerable. 

Luis Corrons, Security Evangelist at Norton, says: “Reservation hijack scams have been around for some time, but this new data makes them much more dangerous because it gives criminals precision as they can reference the real property, the real travel dates, the right contact details to make the scam feel like routine customer service."

Booking.com has clarified that it never asks guests to share credit card details by email, phone, WhatsApp or text. It will also never ask guests to make a bank transfer that is outside the payment policy details in their booking confirmation.

As per experts, the nature of the crime suggests that the hackers can also access any customer information shared with the accommodation providers. This could include travel documents like a copy of passports or government-issued IDs as they are often asked when making hotel reservations. 

While Booking.com did notify by email that physical addresses were not accessed, there was no mention of payment and travel document information being compromised. 

Unanswered questions

Critics have accused Booking.com of providing insufficient information about the attack. 

The exact date of the breach also remains unclear. One Reddit user claimed to have reported a security breach two weeks ago, adding that the travel platform reassured them that “everything was fine on their end”. 

What’s more, Booking.com has declined to reveal the exact nature of the attack and how hackers were able to breach the system. At the time of writing, no group has claimed responsibility for the hack. 

Aaron Beardslee, Manager of Threat Research at Securonix, notes: “The Booking.com breach is yet another example, in my opinion, of what happens when organisations lack the endpoint visibility needed to answer the critical post-incident question: what exactly happened? 

“At the time of writing, the cause of the breach has not been disclosed, nor has it been confirmed whether any group has claimed responsibility or whether the accessed data has been removed from its systems. This kind of opacity, whether intentional or not, erodes public trust far more than the breach itself.”

Back in January, fake Booking.com emails were used to launch a ClickFix malware campaign targeting holidaymakers. According to Securonix’s threat research (PHALT#BLYX), victims were tricked into running malicious scripts themselves, bypassing traditional security controls.

Aaron explains how sophisticated recent attack chains have become, with threat actors “abusing trusted build tools and social engineering lures to establish footholds that are nearly invisible without the right telemetry in place”.

He advocates investing in deploying Sysmon and Sysmon for Linux across endpoints for any organisation with access to a SIEM. These tools provide the granular process creation, network connection and file system telemetry that transforms a vague "suspicious activity" narrative into a precise, defensible timeline of events. 

Hospitality under attack

The hospitality sector has been on the receiving end of countless hacks and breaches this year. Recently, Cybernews research uncovered a massive operation that was siphoning booking data from Spanish and Austrian hospitality platforms. 

In a data leak uncovered on 24 March, the team discovered a server belonging to an unknown threat actor that contained roughly 6.5GB of files exposing personal data of hotel goers.

The affected platforms include Chekin, a Spain-based automated check-in service, and Gastrodat, an Austrian hotel management software provider. Neither has responded to requests for comment on the matter. 

Compromised information stolen through such data-extraction methods heightens the risk of highly targeted phishing, identity theft and fraud attempts for hotel customers. 

As modern attacks continue to evade detection, the failure of platforms to account for events after a breach often ends up damaging public trust more than the attack itself.