On 13 April 2026, Booking.com confirmed that hackers had accessed customer reservation data. The company force-reset reservation PINs and began notifying affected customers via email from noreply@booking.com. Reported by TechCrunch and BleepingComputer, the exposed data includes names, email addresses, physical addresses, phone numbers, and booking details — including information customers shared directly with accommodations. Payment card data does not appear to have been compromised. The scale of the breach has not been disclosed.

This is not the first time. In 2018, Booking.com suffered a breach affecting around 4,000 customers in the UAE and was later fined €475,000 for delayed reporting. This incident appears larger in scope, though the full picture is still emerging.

The real risk is phishing, not the data itself

Most of the coverage is focusing on what was stolen. That matters, but the more immediate risk for most travellers is what attackers will do with it next.

Generic phishing emails are easy to spot — misspelled domains, vague greetings, obvious pressure tactics. What you're now potentially facing is something considerably harder to dismiss: an email that knows your name, your check-in date, the hotel you booked, and possibly your booking reference number.

Imagine receiving an email appearing to come from The Shangri-La. It references your booking for 14 July, mentions your reservation number, and explains that a payment detail needs updating before check-in — with a link to what looks like the hotel's own site. That email would pass most people's instinctive checks. The booking details are real. The urgency is plausible. The link looks right.

This is exactly the attack vector that becomes viable when reservation data is in the wrong hands. It's worth noting that Booking.com's own messaging platform has been abused this way in previous incidents — attackers gaining access to property accounts and sending phishing messages through Booking.com's own interface. The data from this breach makes that style of attack possible even without platform access.

What to actually do

If you received a breach notification from Booking.com, here's what matters:

  • Reset your PIN if you haven't already, and treat any follow-up email about your booking with heightened suspicion — even if it references real details.
  • Verify through a separate channel. If you receive any communication claiming to be from a hotel or Booking.com asking for payment information or personal details, call the hotel directly using a number you find yourself — not one from the email.
  • Don't click links in booking emails. Go to the site directly by typing the address yourself or using a saved bookmark.
  • Use a password manager and make sure your Booking.com password is not reused elsewhere.
  • Watch for phone calls too. Attackers sometimes follow up phishing emails with calls. A caller who already knows your booking details can be convincing.

Your booking data lives in more places than you think

This breach is a useful reminder of something that applies to every booking you make, on any platform.

When you complete a hotel reservation, your data doesn't sit in one place. It flows to the booking platform, to the hotel directly, to any wholesale or middleware supplier in the chain, to the payment processor, and often into the hotel's own CRM and marketing systems. Some of those systems are well-maintained. Others are not.

A single breach at any point in that chain can cascade into convincing phishing attacks because your data was already distributed across more systems than you were aware of. This isn't a problem specific to Booking.com — it's structural to how the travel booking industry works. The breach makes it visible.

Five questions to ask any booking site about security

The constructive response to any breach is to raise your standard for what you expect from companies that hold your travel data. These questions apply to every booking site — the large OTAs, the smaller independents, all of them:

  1. What data do you collect, and who do you share it with?
  2. How is payment data handled — specifically, do you comply with PCI DSS?
  3. Are you GDPR-compliant, and do you have a formal data protection framework?
  4. Where is data stored and transferred, and what protections apply to international transfers?
  5. What is your incident response process if a breach occurs?

If a booking site can't or won't answer these clearly, that's worth knowing before you hand over your details.

HotelHaven's approach — since I just asked you to apply these questions to others

I run HotelHaven, an independent hotel booking site. It seems only fair to answer the questions above for my own platform.

HotelHaven is built on secure-by-design infrastructure with strong encryption standards and strict access controls on internal data. We operate within GDPR-aligned data protection frameworks, including a formal Data Processing Agreement, and payment data is handled within PCI DSS scope. We apply a data minimisation principle — we only collect what's needed to complete a booking. We do not sell, rent, or use customer data for advertising or profiling. International data transfers are protected by Standard Contractual Clauses, and data is deleted or anonymised when no longer required. We maintain continuous monitoring and incident response processes. The documentation supporting these claims is public at the links below.

I can't tell you HotelHaven is more secure than Booking.com — no small site can credibly make that claim against a company of their size. What I can tell you is that the questions above are exactly the ones I'd want you to ask me, and the documentation is public.

The close

Don't trust any booking site blindly — including this one. Verify unusual communications before acting on them. Ask where your data goes. Apply the questions above to whoever you book with next.

HotelHaven is independent and transparent about how it handles data. That's what I'd want from any site I gave my details to, so it's the standard I hold myself to.

References