Cyber Incident Victim: Booking.com
Date:
Apr 2026
Location:
Netherlands
Summary
Booking.com disclosed that unauthorized third parties accessed certain guest booking information, including names, email addresses, phone numbers, reservation details and any data shared with accommodations, while confirming that financial information remained secure. The company said it contained the activity, updated reservation PINs and notified affected customers, noting the incident adds to a pattern of prior security issues in the travel sector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid‑April 2026 Booking.com detected suspicious activity indicating that unauthorized third parties had accessed some guests’ booking information, a fact confirmed by a company spokesperson who said the activity was noticed and then contained. The spokesperson stated that after discovering the issue Booking.com updated the PIN number for the affected reservations and informed the guests whose data had been exposed. According to an email sent to affected customers, the accessed information could include booking details, names, email addresses, physical addresses, phone numbers and any information that the guests had shared with the accommodation provider, while the company emphasized that no financial information was accessed from its systems. Booking.com did not disclose the total number of customers impacted by the breach. The incident added to a series of prior security events at the company, including a 2025 wave of scams in which customers were asked for payment information to verify or preauthorize trips and a 2018 phishing campaign that compromised hotel employee credentials in the United Arab Emirates and led to unauthorized access to the booking data of more than 4,000 customers, a breach that was reported 22 days late to the Dutch privacy regulator and resulted in a fine of €475,000. In the period leading up to the 2026 breach Booking.com reported a 900 percent increase in travel scams from 2023 to 2024.
The company, headquartered in Amsterdam and operating a platform that connects millions of travelers to over 28 million accommodation listings worldwide, reiterated that its security team had taken steps to contain the issue and that it continued to work on the investigation, although no further details about the scope, attacker actions or timeline were made public. A former FBI agent quoted in the coverage observed that when attackers obtain genuine booking data their follow‑on communications appear legitimate and are more likely to be trusted by recipients, noting that this pattern exploits human tendencies and is facilitated by the multiple handoffs inherent in travel‑sector platforms. The agent also remarked that the travel industry’s structure creates additional opportunities for attackers to intervene between platforms, partners and customers. Booking.com’s statement confirmed that financial information remained secure and that the breach involved only certain booking‑related personal data, with no indication that payment card details or other financial identifiers were compromised. The narrative ends with the acknowledgment that the company had not released any additional information about the number of affected individuals or specific remedial measures beyond the PIN reset and guest notifications.