Booking.com Breach: What to Know and How to Respond

Data breaches affecting hospitality have become frighteningly common. In the past six months alone, we’ve seen successful attacks targeting Red Roof and Taj Hotels. Even scarier, for every attack that leads to a breach, there have been hundreds or potentially thousands of attacks that may have been only narrowly thwarted.

Given the constant stream of news and near-daily reports of incidents, it is understandable if you are experiencing a form of cyber fatigue—a feeling of helplessness or of being overwhelmed and unsure about where to start with sifting through the range of threats to pick out which are most relevant to you, which insights can be learned, and what if any actions you should take.

Against this backdrop, the VENZA Echo has attempted to operate as an information filter. Our goal has been to bring you pressing news and to turn the noise of a busy data security landscape into actionable signals that move the needle for your organisation’s security. This week, we’re bringing you just that.

Based on our assessment of risk, and real-world threat intelligence brought to us by our clients, we want to alert you to the threat of a recent breach that affected the extremely popular travel site Booking.com.

What Happened?

A portion of Booking.com’s sensitive data was compromised by a phishing attack. The company is still investigating the extent of the breach, but it is at this point clear that at least some of its customers’ credit card information was accessed and stolen by cybercriminals. Here is how it happened. According to JD Supra,

“The attack began when a hacker pretending to be a traveler sent an email to various hotels. When a hotel employee clicked on a malicious link contained in the email, the hotel’s computer became infected with a virus. Once the virus was active, it allowed hackers to obtain hotels’ IDs and passwords for Booking.com. From there, hackers sent fake emails to travelers pretending to be members of the hotel staff. In these emails, hackers would explain they needed travelers to enter their credit card information into a fake Booking.com site, where hackers were able to obtain travelers’ credit card information.”

This is, once again, a lesson in the importance of vendor security. Even if your own systems are secure, they can still be affected by weaknesses in the systems of others that you interact and interface with.

What’s the Threat?

Booking.com services 400,000 hotels around the world and generates over $10 billion USD in annual revenue. Given the scale, it is likely that many travelers will be affected by the breach.

The primary way this breach has been used by scammers is through direct outreach to customers. Individuals staying at hotels have been receiving emails from official booking.com email addresses warning that their stays may be cancelled unless they confirm their payment information (bank or payment card details) through an embedded link. VENZA clients have then been indirectly involved as they have fielded requests from guests asking whether these emails are legitimate.

It is possible that properties themselves could be affected in other ways as well. Since the full scope of the breach is currently unknown, the extent and reach of the compromise is unclear. It may be the case that property account or payment information could also have been revealed.

Although the Booking.com breach occurred in early November 2023, the effects have continued to ramp up and are increasingly becoming manifest. Given that, we recommend that proactive hoteliers assume that they are at risk, even if they have not yet been notified or experienced its effects.

What Should You Do?

VENZA recommends that you take the following actions in response to this breach.

1. Change your credentials. Immediately reset all Booking.com passwords (either individual or organisational) that are connected to your property. Set up secure multi-factor authentication (MFA) if you have not done so immediately.

2. Spread awareness. Pass along this article or other material about the breach so that your staff is educated on the topic and able to address customer questions or concerns.

3. Watch for notifications. Booking.com is required to notify affected parties by writing. If you were impacted, they will provide you with a list of what information belonging to you was compromised.

4. Defend against future breaches with data protection investments. Consider upgrades to your third-party vendor management tools, network segmentation practices, and more.

Feeling overwhelmed? Don’t be. VENZA is here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success Team.

Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.