Booking.comthe famous online travel agency for booking hotels and accommodation, has recently confirmed theunauthorized access to your systems. The attack would have exposed some of the users’ personal information. Data (names, email addresses, telephone numbers), the stolen ones, which could be used by cyber criminals to make phishing attempts and other online scams credible. At the moment, the financial data of the individuals involved do not appear to have been stolen. The company responded to the attack by updating the security PIN codes associated with bookings and promptly notifying the incident, but the precise number of people affected and the identity of the attackers remain unknown.
What happened with the hacker attack on Booking: the stolen data and the security measures
According to the communications sent to users, the attackers would have had access to a set of information related to reservations: names, email addresses, telephone numbers and living room details, including booking dates And information on booked facilities. In some cases, this may also include information shared directly with the accommodation facilities, i.e. messages or special requests that have been delivered via the platform.
Courtney Campspokesperson for Booking.com, told TechCrunch that the company «noticed some suspicious activity involving unauthorized third parties able to access some of our guests’ booking information». After finding out what happened, the company took action containment measures. Among these, the resetting PIN codes associated with bookings, a measure to prevent unauthorized changes to accounts or travel details. At the moment no details were provided on how many users were affected by the incidentan element that makes it difficult to assess the true extent of the accident.
The possible risks deriving from the data breach
The data stolen from the platform could be used by cyber criminals for perpetrate future targeted attacks. Some users have actually already reported receiving suspicious messages on WhatsApp containing accurate information about their bookings. This type of attack is part of the so-called phishing, a social engineering technique in which the attacker pretends to be a trustworthy person to obtain sensitive data or money. When phishing uses real information – such as exact dates of a stay and a reference to the hotel where you actually have a pending reservation – it becomes much more difficult to recognize. In fact, in these cases, we talk about spear phishingi.e. targeted phishing, tailor-made for a specific victim.
It is not an isolated phenomenon. In recent years the platform has been the target of several fraudulent campaigns, often based onindirect access to systemsfor example through the credentials of compromised accommodation facilities.
What to do if a booking has been made with the online platform
If you have made a reservation on Booking and have not received a communication from the platform regarding possible data breaches, in theory you should have no reason to worry. In any case, whether you have received the communication in question or not, if you have recently made a Booking reservation you would do well to pay maximum attention to possible communications on WhatsApp or other similar contact methods. You should pay attention, in this case, to subjects who pose as Booking or the accommodation facility you have booked and who make strange requests, despite making explicit and precise references to a recent booking of yours.
For example, if requests are made to you aimed at provide sensitive data (such as your credit card details), perhaps with the excuse that the payment was not successful and that your Booking reservation is at risk, do not respond to these requests. So, do not provide personal data, do not click on any links and, of course, do not make any payments. If you have any doubts regarding the reliability of a certain communication received via Whatsapp, via SMS or on your e-mail, contact the accommodation facility by telephone and/or contact Booking customer care to receive clarification. When doing this, obviously, refer to the contact details you find on the property’s website or on the Booking contact page.
