Enlarge (credit: Getty Images)
For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site.
One of the more recent shakedowns happened to an Ars Reader who asked not to be identified by his real name. A few months ago, Thomas, as I’ll call him, reserved and paid for a two-night stay scheduled for this July in a hotel in Italy. Here’s the legitimate reservation:
The real reservation from Booking.com.
Last week, out of the blue, he received two emails. The headers show that the first message came from the genuine Booking.com domain. It purported to have been sent on behalf of the hotel in Italy and asked that he click a non-existent confirm button for his upcoming stay. It went on to inform him that the hotel would “also transfer all bookings made from that address to your account.” As phishy as that sounds, the email included his full name, the confirmation number of his reservation, the correct name of the hotel, and the dates of the stay.
First page of the email.
The second page.
A second email purported to also have been sent by Booking.com on behalf of the hotel, but headers show that it was in fact sent by an address from yandex.net. The email included the previously mentioned confirmation button that led to a URL that was generated by the Russian shortening service nah.uy.
The scammer email containing the continue button.
Clicking on the confirm button led Thomas to an almost perfect replica of the real Booking.com webpage. It, too, showed his name, the dates and hotel of his stay, and the exact fare he was charged and went on to direct him to enter his payment card.
The fake Booking.com payment page.
Thomas then received a WhatsApp message sent to the number Booking.com had on file for him. It posed as a message from the hotel he had booked with and asked if he needed parking during his stay.
Thomas didn’t share any of his travel details online. That means the personal information in these scammer-sent emails came either directly or indirectly from Booking.com. It remains unclear precisely how the scammers obtained it.
At this point, it’s easy to chalk up the mystery to some sort of isolated slip up. Web searches, however, show that scams with almost all the same elements have been going on repeatedly for at least five years. In this thread from 2018, a Reddit user reported receiving an email informing them that the reservation they made with Booking.com was on hold because the credit card they used during the booking couldn’t be processed.
A scam email a Booking.com user received in 2018.
These scammers also had the correct confirmation number and precise charge for the reservation. A fellow Reddit user pointed to this article, headlined: Booking.com customers targeted by hackers in WhatsApp and text scam. It reported that multiple hotels had been targeted by WhatsApp texts that attempted to steal large sums of money from customers. The messages contained names, addresses, phone numbers, confirmation numbers, and booking dates and prices.
Booking.com told the publication that there had been no compromise on Booking.com systems, but that “a small number of properties had been targeted by phishing emails sent by cyber criminals and by clicking on those emails, the properties compromised their accounts.” The company added that “all potentially impacted guests have been notified.”
Web searches show that since the article and Reddit thread went live in June 2018, the same scam has played out repeatedly over the years and has continued right up until this month. Here are just some of the results:
- Has Booking.com Been Hacked (and isn’t Telling Anybody)? – InsideFlyer
- French Hotels Hacked Through Booking.com – Hotel Association – UrduPoint
- Booking.com customers fell for phishing scams – Tourism Travel Vacation
- Booking.com fined $560,000 for GDPR data breach violation | The Daily Swig
- Hotel reservation platform leaked user data from top online booking sites
- Dutch Data Protection Authority Fines Booking.com Over Incident Notification – SecurityWeek
- Booking.com Phishing Scam Targets Unsuspecting Customers – Merrimack County Savings Bank
- Is this a scam related to booking.com or legit? : Scams
- Booking.com scam : Scams
- Booking.com targeted by hackers in WhatsApp and text scam – latest advice | Travel News | Travel | Express.co.uk
- Is there a booking.com scam? : Scams
- Fake hotel i booked on booking.com tried to scam me on whatsapp. : Scams
- Is this a scam? Booking.com : Scams
- Got an odd scam via booking.com : Scams
- This seems like it could be a scam – has anyone seen or heard of scamming someone this way? : Scams
When I flagged the five years of repeated scams to Booking.com representatives and asked for comment, they provided an almost verbatim response to the one they gave in the 2018 article:
At Booking.com, security and the data protection of our customers and accommodation partners is a top priority.
We have been made aware that some accommodation partners have been targeted by phishing emails, which unfortunately has led to their systems becoming compromised. While the security breach was not on Booking.com, we know that the accounts of some of our accommodation partners have been affected. These accounts were quickly blocked by Booking.com to help reduce the risk and our teams are actively supporting these accommodation partners to ensure they can quickly and safely resume with their listings on our platform. We are also actively supporting any potentially impacted customers, as our security teams continue to investigate this issue.
The statement also provided general practical tips for Booking.com customers to stay secure, but none of that advice would have prevented the scams I asked about.
This isn’t the first time the security of third-party partners has led to the leak of personal data for users of a travel reservations service. In 2020, researchers from a company called Website Planet reported finding a stash of data collected over the previous seven years for more than 100,000 people who used Booking.com and at least seven other online reservations services, including:
-
- Agoda
- Amadeus
- Expedia
- Hotels.com
- Hotelbeds
- Omnibees
- Sabre
The data leaked in that incident included full names, email addresses, national ID numbers, phone numbers, number of hotel guests, credit card details, total cost of hotel reservations, and reservation details. Website Planet said the data had been collected and stored in a misconfigured Amazon S3 bucket by Spain-based Prestige Software, which sells a channel management platform to hotels. While this leak affected customers of multiple reservation services, Web searches show these types of data leaks continue to disproportionately affect users of Booking.com over its competitors.
It’s hard to understand how, after five years, the leak in Booking.com’s partner network continues to spill private data that leaves customers open to scams and other forms of fraud. The company’s insistence that its systems haven’t been breached is little comfort to those affected. No doubt no travel site is immune to partner breaches, but anecdotal evidence overwhelmingly suggests Booking.com customers are the most targeted. Until Booking.com comes clean, people would do well to book travel using a different site.