On 13 April 2026, Booking.com confirmed what millions of travellers feared: hackers had accessed customer reservation data. The compromised information includes names, email addresses, physical addresses, phone numbers and booking details — everything an attacker needs to craft a convincing phishing email that references your real trip, your real hotel, and your real dates.

The company has reset reservation PINs and notified affected customers, but it has refused to say how many people are impacted, how the breach happened, or how long the attackers had access before being detected.

This matters. Here's why.

What Was Taken

According to customer notification emails seen by multiple news outlets, the exposed data includes:

  • Full names of guests
  • Email addresses
  • Physical addresses
  • Phone numbers
  • Booking details including dates, property names and confirmation references
  • Messages exchanged with the accommodation through Booking.com's platform

Financial data — credit cards, passwords, account credentials — was reportedly not accessed. But the personal information that was taken is arguably more dangerous in the short term.

Why "No Financial Data" Doesn't Mean "No Risk"

When criminals have your name, email, phone number and the details of a genuine hotel booking, they don't need your credit card number. They can get it from you.

Imagine receiving an email that says: "There is a problem with your reservation at the Grand Hotel in Barcelona on 22 May. Please verify your booking details to avoid cancellation." The hotel is real. The date is real. The booking reference is real. The only thing that's fake is the link — and by the time you realise, your credentials or payment details have been harvested.

This isn't hypothetical. Reddit users have already reported receiving scam messages that reference their actual Booking.com reservations. Some of these messages arrived through Booking.com's own in-app messaging system, making them virtually indistinguishable from legitimate hotel communications.

A Pattern, Not a One-Off

This is not the first time Booking.com has been here. In 2018, criminals social-engineered hotel staff in the UAE into handing over their platform credentials, exposing data for over 4,000 customers including credit card details. The Dutch Data Protection Authority fined Booking.com €475,000 — but only because the company took 22 days to report the breach, far exceeding the GDPR's 72-hour notification requirement.

In 2024, Booking.com itself acknowledged that phishing attacks targeting travellers had surged by 900%, driven partly by AI-assisted social engineering. Compromised hotel partner accounts were being used to send fraudulent payment requests through the platform's own messaging system.

The current breach follows the same playbook. The specifics differ, but the structural vulnerability is identical: a platform that aggregates vast quantities of personal data from millions of travellers, creating an irresistible target for criminals.

What You Should Do

If you've used Booking.com recently (or ever):

  1. Do not click links in emails about your bookings. Go directly to the Booking.com website or app to check your reservations. If there's a real problem, it will be visible there.
  2. Change your Booking.com password. If you use the same password anywhere else — and be honest with yourself — change those too. Use a password manager.
  3. Enable multi-factor authentication (MFA) on your Booking.com account and every other service that supports it.
  4. Watch for phishing. Be especially suspicious of emails, texts or in-app messages that reference specific booking details and ask you to click a link, verify your identity or make a payment.
  5. Monitor your accounts. Keep an eye on your email, bank accounts and credit cards for unusual activity over the coming weeks.

For Businesses: This Is a Third-Party Risk Event

If your organisation uses Booking.com for corporate travel, this breach may have exposed employee data — names, phone numbers, travel dates and destinations. For businesses, the risks extend beyond individual phishing to include business email compromise, executive surveillance (knowing when a CFO is travelling and where they're staying), and GDPR notification obligations.

Small businesses that list properties on Booking.com or book staff travel through the platform should review their account security immediately. Our colleagues at SoC in a Box have published a detailed guide for SMBs.

Enterprise security teams should treat this as a third-party risk incident: brief your SOC, audit credentials, assess GDPR obligations, and review what data you share with travel platforms. The Cyber Defence team has published a full technical analysis with detailed recommendations for CISOs and CIOs.

The Bigger Picture

Booking.com has processed 6.8 billion bookings since 2010 and lists over 30 million properties. Its parent company, Booking Holdings, is worth approximately $137 billion. The platform sits at the centre of the global travel ecosystem, holding personal data for a significant fraction of the world's travellers.

Every time you book a hotel, you're trusting that platform with your name, address, phone number, travel dates and often your payment details. When that trust is breached — as it has been repeatedly with Booking.com — the consequences fall on you, not on the platform.

The lesson is uncomfortable but important: convenience comes with risk. Every platform you share data with is an extension of your personal attack surface. You can't eliminate the risk, but you can minimise it by sharing only what's necessary, using unique credentials everywhere, enabling MFA, and staying alert to phishing.

The Booking.com breach won't be the last. Be ready for the next one.

This article is part of an ongoing series on data breaches and their impact on individuals and businesses. For small business guidance, visit SoC in a Box. For enterprise cyber security services, visit Cyber Defence.