UPDATE 05/06/18: Booking.com sent over the following statement in an email:
Security and the protection of our partner and customer data is a top priority at Booking.com. Not only do we handle all personal data in line with the highest technical standards, but we are continuously innovating our processes and systems to ensure robust security on our platform. In this case, there has been no compromise on Booking.com systems. A small number of properties have been targeted by phishing emails sent by cyber criminals and by clicking on those emails, the properties compromised their accounts. All potentially impacted guests have been notified and because we value our customers at Booking.com, we are supporting impacted guests to compensate for any losses incurred, and reclaim these from the property. If customers have any questions regarding their reservation or to report losses, they can contact our customer service team.
The travel e-commerce company reiterated that there was no compromise on its systems. It also clarified that properties, not customers, received phishing messages and that customers received emails asking them for payment after bad actors phished those properties.
Booking.com ended by saying it had notified all potentially affected customers and that “all impacted customers will be compensated for their losses, which we will claim back from the properties, who fell prey to phishing emails from cyber criminals.”
Scammers recently targeted Booking.com customers with phishing messages designed to steal their sensitive financial information.
According to The Sun, criminals sent out WhatsApp messages and text messages to customers claiming that a security breach had occurred and that recipients needed to change their passwords. The attack correspondence came with a link that, when clicked, gave bad actors access to bookings. These malefactors then followed up with a second message specifying that they needed customers’ banking information to process full payment in advance of the bookings.
Marketing manager David Watts of Newcastle received one of the attack messages, stating “It looked very believable and I can believe people fell for it.”
Booking.com told The Sun that it’s aware of these attack messages. It also clarified that it had not suffered a data breach and that attackers had likely compromised the systems of hotels with which it works on a separate portal. Those criminals, it said, made off with typical booking information like customers’ names, addresses, phone numbers, dates and prices of bookings and reference numbers. The attackers then used that information to send out phishing messages, which incorporated those pieces of information to enhance their appearance of legitimacy, it explained.
This isn’t the first time scammers have targeted Booking.com users. Back in November 2014, news emerged of phishers preying on thousands of users, some of whom fell for the phish and paid the attackers. Booking.com stated that it had not suffered a breach and that criminals had hacked as many as eight hotels, but a spokesperson for one of the affected hotels denied having suffered an incident and recommended that the travel e-commerce company “ensure their investigation is thorough and appropriate action is taken.”
No doubt phishers will continue to target the travel industry in an attempt to steal customers financial data. With that said, users should make an effort to familiarize themselves with some of the most common types of phishing attacks. This resource is a good place to start.