Hotel reservations platform Booking.com has confirmed that unauthorized parties have accessed its customer booking data, in another incident that highlights how closely customer experience is tied to cybersecurity resilience.
In a notice sent to affected users, the Amsterdam-headquartered company wrote:
“[W]e’re writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation.”
Booking.com has begun emailing affected users in Australia and Ireland about “suspicious activity” linked to certain bookings.
The company said it detected suspicious activity affecting a number of reservations and took steps to contain the issue. While financial data was not accessed, exposed information may include personal and booking-related details.
How the Booking.com Breach Began Outside the Customer Interface
There are indications that the incident may have originated from a broader phishing campaign targeting hotel partners.
Security researchers have linked the breach to attacks where hospitality staff are tricked into executing malicious actions via spoofed communications. Once compromised, attackers can access legitimate reservation data and use it to target customers with highly convincing follow-on scams.
Cybersecurity service provider Bridewell has observed a campaign of malicious activity targeting the hotel and retail sector. Joshua Penny, Senior Threat Intelligence Analyst at Bridewell, wrote in a blog post:
“The primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order. The threat actor(s) utilize impersonation of the Booking.com platform through two distinct phishing kits dedicated to harvesting credentials and banking information from each victim respectively.”
The three-stage infection chain sends targeted emails to the Booking.com partner hotel, harvesting credentials and targeting service desk agents using a partner phishing kit, then using a customer phishing kit to target the hotel customer’s financial data.
Cofense Intelligence has also been tracking a series of Booking.com spoofing emails targeting hotel chains since late 2024. The phishing campaigns deliver remote access trojans (RATs) or information stealers via a link embedded in the emails to a fake CAPTCHA site. The website delivers a malicious script instead of a verification code and prompts the user to run the script using Windows keyboard shortcuts. According to the Cofense blog:
“These fake CAPTCHAs used for malware delivery are known as ClickFix attacks, and they are notable for having variants that convincingly spoof various brands such as Booking.com and Cloudflare while delivering arbitrary malicious script payloads.”
This highlights the reality that customer experience can be disrupted even when the core platform is not compromised.
The incident indicates how customer trust now spans an entire network of partners. Booking platforms operate as ecosystems connecting travelers and accommodation providers. Weaknesses at the partner level, such as compromised hotel accounts, can expose customer data indirectly.
Customers, however, still associate the experience with one brand. Accountability is shared, but perception is not.
CX leaders need to be aware that personalization strategies prioritizing tailored, contextual communication involve customer data that can be weaponized.
Booking.com acknowledged the scope of exposed data in its customer notice:
“[A]ccessed information could include booking details and name(s), emails, addresses, phone numbers associated with the booking and anything that you may have shared with the accommodation.”
With access to real booking details, attackers can generate fraudulent messages that closely resemble legitimate interactions, increasing the likelihood of customer engagement.
This dynamic raises questions about how much contextual information should be shared across systems, and how brands can maintain trust when attackers replicate their tone and format.
When security breaches do occur, the speed of response shapes customer perception.
Booking.com moved to contain the issue and introduced precautionary measures, including updating reservation credentials. “To keep your booking secure, we have updated the PIN number of your booking reservation,” the notice told customers.
These steps reflect the importance of visible, immediate action. Communication timing and clarity often influence customer perception as much as the breach itself. Uncertainty around the total number of affected users or full attack path can prolong concern and erode confidence.
Phishing is Now a CX Problem
Booking.com has alerted customers to the potential for follow-on scams, and several Reddit users have reported receiving phishing messages on WhatsApp regarding travel reservations made through the platform.
The incident highlights how phishing affects the customer journey. It follows a pattern of attacks targeting the travel sector, particularly through partner networks. Each breach may be contained individually, but repeated exposure shapes customer perception over time.
Attackers increasingly mimic core CX touchpoints, including transactional messages such as booking confirmations, payment requests and support interactions.
That creates new responsibilities for CX teams, as security awareness is becoming part of experience design. This includes designing communications that are harder to imitate, establishing clear signals of authenticity, and educating customers on expected interaction patterns and security risks.
When customers encounter scams linked to legitimate bookings, even indirectly, confidence in the overall experience can weaken. How organizations need to think about customer experience now includes the resilience of partner ecosystems, the integrity of customer communications and the ability to respond quickly and visibly.
