Travel and reservations giant Booking.com has notified an unknown number of customers about a data breach affecting “anything” they’ve shared with certain accommodation providers.
Customers started to receive emails about the breach as early as Monday, when Booking.com told victims it had “recently noticed suspicious activity” affecting “a number of reservations”.
Based on the company’s investigation to date, victims were told their booking details, name(s), email address(es), and phone number(s) associated with certain bookings could have been accessed.
An email from Booking.com and seen by Information Age told a customer any details they’d shared with their accommodation could have been impacted.
“[Accessed information could include] anything that you may have shared with the accommodation,” read the email.
The company also told individual victims “your financial information was not accessed from Booking.com’s systems”, but did not rule out the possibility that identification documents or other sensitive details were accessed.
Booking.com’s investigations are understood to be ongoing, while staff “immediately took action” to contain the issue after discovering it.
A spokesperson for the Office of the Australian Information Commissioner (OAIC) confirmed that Booking.com has notified the commissioner of a data breach.
An anonymous Australian customer who received Booking.com emails for two separate reservations told Information Age they felt the company was “not very forward” in their explanation of what data may have been affected.
“Having been in multiple data breaches, it’s not even a surprise anymore,” they said.
“It’s frankly sad that data breaches like this are becoming a day-to-day occurrence.”
Booking.com told customers that the PIN numbers for their affected reservations had been updated, while victims were warned to be vigilant of phishing attempts.
Customers were told via email to be careful about bank transfers and WhatsApp messages. Image: Supplied
How many customers were impacted?
Booking.com did not respond prior to publication when asked how many customers were impacted by the breach, what systems were affected, and whether sensitive details such as passports could have been accessed.
Troy Hunt, chief executive of popular breach tracking platform Have I Been Pwned, told Information Age that Booking.com could be in a situation where “if they communicate too early, it’s vague information, but if they communicate too late, they’re putting people at risk”.
“Their challenge is to figure out what information to communicate, and when,” said Hunt.
“For a lot of organisations if they’re in the midst of a potential ransom incident they might know there’s potential for ongoing compromise.
“They’d need to figure out how much to communicate without ‘tipping their hand’ to potential adversaries.”
Hunt said although it’s “very, very difficult” to criticise organisations for vague communication without knowing the full details of a given security incident, companies are “increasingly cautious in their disclosures” because they’re “hedging their bets legally”.
“Companies are more frequently trying to avoid anything they say being used in subsequent class actions,” said Hunt.
“The communications we see are almost always in the interest of shareholders as opposed to customers.”
At the time of writing, neither Hunt nor Information Age have identified any ransomware demands or leaked data from the incident on the dark web.
Booking.com is headquartered in the Netherlands, but has millions of users globally. Image: Shutterstock
Reddit user claims they were ignored
Notably, a user on Reddit said they received phishing messages on WhatsApp that contained personal information and details from a trip they’d arranged via Booking.com.
“[The] person knows where I go, when I go and who I am,” they wrote.
Despite reporting the messages to Booking.com, the company allegedly did not respond to the customer for two weeks.
The customer later received an automated email from the company confirming third parties may have accessed their booking information.
“I reported a security breach 15 days ago, and they claimed everything was fine on their end,” they said.
“They are now sending automated emails to many customers, which clearly shows this is not an issue with just one hotel.”
Booking.com scams, and complaints rise
Booking.com’s unfolding data breach has followed a string of complaints lodged to Fair Trading over reported property damages, quality of accommodation, double-bookings, and refund issues.
Indeed, Booking.com was reportedly the fourth most complained about company to Fair Trading NSW last year.
The company, which is Australia’s most visited online travel website, has also seen a surge in scams in recent years.
Indeed, the Australian Competition and Consumer Commission’s (ACCC) Scamwatch program received some 363 reports of scams which mentioned Booking.com in 2023 – a number that increased to 416 in 2024, and 515 in 2025.
