In April 2026, one of the world’s largest online travel agencies, Booking.com, suffered a data breach. The company confirmed that customer booking information had been accessed by unauthorised parties, which exposed reservation data including names, email addresses, phone numbers, and travel details.
And while the company has stated that payment information wasn’t compromised, the incident has still attracted a lot of attention. Unlike many breaches where stolen data is then sold or stored for later use, this incident highlights a growing trend in cybercrime: the use of genuine, real-time information to make scams more convincing.
For businesses, the breach serves as yet another reminder that cyber risk doesn’t just sit within organisational boundaries anymore. Third-party suppliers, software platforms, and service providers all form part of the wider attack surface.
For individuals, especially those travelling during peak holiday periods like the one we’re currently in, the incident shows something else. And that’s how seemingly routine personal information can be weaponised in ways that feel shockingly believable. Let’s explore both perspectives and look into what might’ve happened.
What happened in the Booking.com breach?
According to Booking.com, the attackers gained unauthorised access to customer booking information and reservation data. The company responded by detecting suspicious activity, notifying affected customers, and resetting reservation PINs.
As we’ve mentioned, the exposed information reportedly included names, email addresses, telephone numbers, booking reference information, and reservation details. At the time of writing (June 2026), Booking.com has not stated that payment card information was compromised.
Breaches involving customer records are unfortunately common. According to Statista, nearly 94 million data records were leaked in data breaches globally in the second quarter of 2025 alone. But what makes this incident stand out from other recent incidents is the apparent use of the data during active phishing campaigns.
Rather than simply stealing information, attackers appear to have leveraged legitimate booking details to create highly personalised scams.
Why does this breach feel different?
Historically, cyber criminals have relied on volume. They’d send thousands of generic phishing emails and hope that a small percentage of the recipients would click a link or disclose information. That model is changing.
When attackers get their hands on genuine booking information, they no longer have to guess. They know who’s travelling, where they’re staying, and when they’re due to arrive. That knowledge allows them to create messages that feel authentic because, in many cases, they contain information that only a legitimate provider should know.
The shift from system exploitation to trust exploitation
This breach reflects a much broader change in cybercrime. Attackers are focusing less on breaking systems and more on exploiting trust. When a scam refers to a real hotel, a genuine reservation number, or accurate travel dates, the recipient is much more likely to believe the message is legitimate.
In effect, trusted platforms can become unwitting vehicles for such highly targeted attacks. This is especially concerning because even those of us who are very security-conscious might struggle to distinguish genuine communications from fraudulent ones.
Why do targeted attacks work so well?
Attackers benefit from a number of advantages when using real booking data, including:
- The information is current rather than historic
- Messages can be timed around key travel dates
- Communications appear highly relevant
- Recipients are often distracted while travelling
- The request feels credible because it contains accurate details
The result of all of this together is a higher success rate than traditional phishing attempts. This is often referred to as spear phishing, where someone is targeted using specific information that is relevant to them or their job.
How might the attack have happened?
At the time of writing, the exact attack method has not been publicly confirmed. However, reporting suggests that the compromise might have originated through hotel or partner accounts connected to the Booking.com ecosystem. If this proves to be the case, it would represent a classic supply chain compromise.
Rather than attacking Booking.com directly, attackers might have targeted organisations connected to the platform and then used those credentials to gain access to booking information.
The growing risk of third-party compromise
This matters because it mirrors what many businesses face today. Businesses increasingly rely on cloud platforms, SaaS apps, managed service providers, external suppliers, and shared infrastructure. A weakness within any of those relationships can create risk for the wider ecosystem.
A lot of businesses invest heavily in protecting their own environments, but spend considerably less time trying to understand how supplier security could affect them. The Booking.com incident highlights why that distinction is becoming more and more difficult to maintain.
The 2018 Booking.com security incident
This recent breach isn’t the first time Booking.com has faced cyber security challenges. In December 2018, attackers reportedly used social engineering techniques to obtain login credentials from hotel staff. Using those credentials, they gained access to customer information associated with more than 4,000 bookings.
Attackers then attempted follow-on fraud using the information they’d obtained. While this was smaller in scale than the recent incident, the 2018 case demonstrated the effectiveness of targeting trusted intermediaries rather than central systems. And the themes are strikingly similar to those we’re looking at today.
The 2021 GDPR fine and what businesses can learn
In March 2021, Booking.com was fined €475,000 (approximately £410,000 in 2026) by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Although, it’s important to note that the fine was not issued because the breach occurred. Instead, it related to how the incident was reported.
Under GDPR, organisations are generally required to notify regulators of qualifying breaches within 72 hours of becoming aware of them. Booking.com reported the incident 22 days after they became aware of it, hence the enforcement action.
Why did so many UK businesses miss the story?
Because Booking.com is headquartered in the Netherlands, regulatory oversight sat primarily with the Dutch supervisory authority rather than the UK Information Commissioner’s Office. As a result, many UK organisations paid little attention to the case, despite the fact that the same reporting principles apply under UK GDPR.
Therefore, the lessons learned from this case are just as relevant today. Regulators don’t just examine whether or not a breach occurred. They also assess how organisations respond once it’s happened. Awareness, escalation, reporting decisions, and communication all form part of the larger regulatory picture.
Why does this matter to individuals?
Beyond being another story about corporate cyber security, this incident creates very real risks for travellers. When attackers know when you’re travelling and where you’re staying, scams become far more convincing and far more effective. Here are some of the key risks a case like this poses to individuals:
Targeted payment fraud
Imagine you receive a message saying there has been an issue with your hotel booking. The message includes the actual hotel, the correct travel dates, and your reservation number. You’re then asked to reconfirm payment details to avoid cancellation. Under those circumstances, not many people would be able to spot the fraud.
Highly convincing scam messages
These messages arrive through email, SMS, WhatsApp, other messaging platforms, and booking-related communication channels. The challenge is that they look legitimate because they’re built around real information. These are no longer the obvious phishing emails we’ve all become so used to spotting.
Social engineering at scale
Attackers will often combine real information with familiar psychological triggers. These include urgency, authority, fear of disruption, and trust in recognised brands. For someone who’s about to travel, the prospect of a cancelled booking or a failed payment can create enough pressure to bypass normal caution.
Personal safety concerns
This is a wider issue. Travel information can reveal when someone won’t be at home, where they’ll be staying, and how long they’re likely to be away. While financial fraud is still the main concern, access to this type of information inevitably raises broader questions around personal privacy and safety.
What does this mean for businesses?
The Booking.com breach highlights a challenge that businesses are facing across every sector. A cyber incident can affect you, even if you weren’t the one that was attacked. A lot of businesses rely on dozens, sometimes hundreds, of third-party services every day.
When one of those providers experiences a security incident, the consequences can quickly go beyond the original target. Potential impacts include reputational damage, regulatory scrutiny, customer trust issues, operational disruption, and financial losses.
Increasingly, we’re seeing that cyber resilience depends on understanding the wider ecosystem rather than solely on your internal infrastructure.
How can you reduce third-party risk?
There’s no way to eliminate risk completely. But there are plenty of practical steps organisations can take to improve their resilience. Here are five examples of key controls you can implement with support from our team:
1. Third-party risk assessments
Understand which suppliers have access to sensitive information and how they protect it.
2. Enforced MFA
Multi-factor authentication (MFA) remains one of the most effective controls available and should be enforced wherever possible.
3. Security awareness training
Staff should understand how modern phishing and social engineering attacks operate, particularly those using genuine business context. We use realistic phishing simulations to train staff to identify and report suspicious activity.
4. Monitoring for unusual activity
The faster suspicious activity is identified, the greater the opportunity to limit impact. We offer 24/7 monitoring and detection services from our UK-based Security Operations Centre.
5. Tested incident response processes
A response plan is only useful if people know how it works during a real incident. Regular exercising helps organisations identify weaknesses before an actual event occurs.
How can Net-Defence help?
The Booking.com breach is a reminder that cyber risk rarely exists in isolation. Whether you’re relying on cloud platforms, software providers, outsourced services, or complex supply chains, your resilience is often influenced by organisations outside your direct control.
Understanding those dependencies, identifying where your exposure exists, and knowing how your business would respond if a key supplier was compromised are key parts of cyber resilience.
We help organisations of all kinds strengthen their security with managed IT support, Cyber Essentials certification, staff training, and so much more. Plus, by combining cyber security, IT support, and telephony services with our Business Resilience as a Service offering, there’s no shortage of ways to build a more resilient ecosystem.
If you’d like a better understanding of your third-party risk exposure, review your current cyber resilience, or discuss how your organisation would respond, get in touch with the team today.
