Booking.com Confirms Unauthorized Access to Customer Reservation Data

On April 13, 2026, Amsterdam-based online travel platform Booking.com confirmed that unauthorized third parties gained access to a subset of customer reservation information. The company, a primary subsidiary of Booking Holdings Inc., began issuing notifications to affected users after detecting suspicious activity within its booking systems. According to official statements, the breach was identified through internal security monitoring and has since been fully contained.

The information accessed during the incident includes customer names, email addresses, physical addresses, and phone numbers associated with specific travel bookings. Additionally, the unauthorized party was able to view reservation details and any correspondence or special requests shared between guests and their accommodation providers through the platform's messaging system. Booking.com emphasized that the breach did not extend to financial or payment information. Credit card numbers, expiration dates, and CVV codes were not compromised, as these are stored in a separate, hardened environment.

In an immediate response to the discovery, Booking.com implemented remediation measures, including the mandatory reset of PIN numbers for all reservations identified as potentially exposed. The company stated that this action was taken to secure existing bookings and prevent further unauthorized access to reservation management tools. While the travel giant has not disclosed the exact number of affected customers, it confirmed that all impacted individuals have been contacted directly via email with guidance on securing their accounts.

The incident has been reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in accordance with General Data Protection Regulation (GDPR) requirements. This disclosure follows a period of heightened scrutiny for the platform, which has previously faced challenges related to phishing campaigns targeting hotel partners. In those instances, attackers often compromised hotel-side accounts to send fraudulent payment requests to guests. However, Booking.com has not yet confirmed if this latest breach involved a similar compromise of partner credentials or a direct vulnerability in its own infrastructure.

A spokesperson for Booking.com stated that the company is conducting a comprehensive forensic investigation to determine the full scope of the unauthorized activity. The platform, which lists more than 30 million accommodation venues globally, is advising users to remain vigilant against potential phishing attempts that may utilize the leaked contact information. The company reiterated that it will never request credit card details or bank transfers via email, phone, or third-party messaging apps like WhatsApp. As of the afternoon of April 13, the company reported that its services remain fully operational and that the security vulnerability exploited in the attack has been addressed.