"Mysterious leak of Booking.com reservation data is being used to scam customers" 8 February 2023

For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site.

One of the more recent shakedowns happened to an Ars reader who asked not to be identified by his real name. A few months ago, Thomas, as I’ll call him, reserved and paid for a two-night stay scheduled for this July in a hotel in Italy.

Last week, out of the blue, he received two emails. The headers show that the first message came from the genuine Booking.com domain. It purported to have been sent on behalf of the hotel in Italy and asked that he click a non-existent confirm button for his upcoming stay. It informed him that the hotel would “also transfer all bookings made from that address to your account.” As phishy as that sounds, the email included his full name, the confirmation number of his reservation, the correct name of the hotel, and the dates of his stay...

...Thomas didn’t share any of his travel details online. That means the personal information in these scammer-sent emails came either directly or indirectly from Booking.com. It remains unclear precisely how the scammers obtained it...

...When I flagged the five years of repeated scams to Booking.com representatives and asked for comment...[they said]:

"At Booking.com, security and the data protection of our customers and accommodation partners is a top priority. We have been made aware that some accommodation partners have been targeted by phishing emails, which unfortunately has led to their systems becoming compromised. While the security breach was not on Booking.com, we know that the accounts of some of our accommodation partners have been affected. These accounts were quickly blocked by Booking.com to help reduce the risk and our teams are actively supporting these accommodation partners to ensure they can quickly and safely resume with their listings on our platform. We are also actively supporting any potentially impacted customers, as our security teams continue to investigate this issue."...

...It’s hard to understand how, after five years, the leak in Booking.com’s partner network continues to spill private data that leaves customers open to scams and other forms of fraud. The company’s insistence that its systems haven’t been breached is little comfort to those affected.