A data leak at Booking.com has exposed user information, including email addresses and phone numbers, with Polish users among those impacted, CERT Polska confirms.
Booking.com Data Leak Confirmed
Booking.com has confirmed a data leak affecting some user data, including email addresses, phone numbers, and reservation information, according to a press release. Financial data, such as credit card details, was not compromised.
CERT Polska has confirmed that the incident also affected users in Poland.
Initial Reports of a Hack
Foreign media outlets, including The Guardian, began reporting on a hacking attack on Booking.com on Monday, noting that the platform was sending emails to affected users.
Data Exposed in the Breach
According to Booking.com, the incident resulted in the leak of reservation data and user contact information, such as email addresses and/or phone numbers. Cybercriminals did not gain access to financial data or customer addresses.
Booking.com’s Response
“Although unauthorized access was quickly stopped, we are still assessing its effects. To date, we have determined that most of the information that leaked relates to previous reservations. Because our customers remain our highest priority, we immediately notified them. Furthermore, we are cooperating with law enforcement and data protection authorities, providing them with the information they need for further investigation,” stated Booking.com’s press office.
The company did not respond to questions regarding the date of the leak, its cause, or its scale.
CERT Polska’s Assessment and Phishing Warnings
CERT Polska stated that it had not received reports regarding the incident at Booking.com, but “analysis of publicly available materials indicates that it also concerns part of Polish users.”
The team emphasized that the image of reservation companies, particularly Booking.com, is often used in phishing scenarios, meaning cybercriminals impersonate these platforms and attempt to obtain data or money. “Such campaigns are most often massive in nature and we do not directly associate them with the aforementioned incident. However, the situation in cyberspace is dynamic and it may happen that information obtained from the leak will be used by fraudsters for further actions,” CERT Polska noted.
Previous Incidents at Booking.com
According to The Guardian, this is not the first such incident at Booking.com. In 2018, cybercriminals stole login credentials of an employee from the United Arab Emirates, gaining access to data of over 4,000 users. The platform reported the leak to the Dutch data protection authority 22 days after the fact, resulting in a fine of 475,000 euros.
About Booking.com
Booking.com is one of the world’s largest online platforms for booking accommodations, founded in 1996 in Amsterdam. It is currently owned by the American company Booking Holdings. The platform enables reservations in 43 languages for over 28 million accommodations, including hotels, apartments, vacation homes, and guesthouses.
