Global online travel behemoth Booking.com, one of the world’s largest travel platforms with operations spanning 160 countries and over 28 million property listings, has issued an urgent warning to its Australian customers after confirming a large-scale data breach that allowed unauthorised third parties to access sensitive personal user data.
In notifications sent to affected users overnight, the Dutch-headquartered company confirmed that it had detected suspicious activity linked to a subset of customer reservations. After identifying the anomaly, security teams moved quickly to seal off the breach and prevent further unauthorised access, launching a full internal investigation to map the scope of the incident.
The probe confirmed that bad actors gained access to a range of personal user information, including customers’ full names, registered email addresses, contact phone numbers, and additional details that users had shared with accommodation providers via the platform. To mitigate ongoing risk, the company has issued new reservation confirmation numbers and PIN codes to impacted users, urging them to remain vigilant for unsolicited communications from scammers impersonating Booking.com staff or accommodation representatives.
“Your personal data security is our highest priority,” the company stated in its customer notification. “We will continue to upgrade and expand the comprehensive security protocols we have in place to protect all user bookings made through our platform.”
As of the latest update, Booking.com has not confirmed how many total users have been impacted by the breach, nor has it verified whether sensitive financial information such as credit card details or bank account credentials were accessed by the unauthorised parties. Outlets have reached out to company representatives for additional comment on the incident.
This breach is not an isolated event for the travel giant: industry outlet Techzine has documented multiple prior cyberattacks and data breaches targeting Booking.com, including a 2024 phishing scam that stole employee login credentials from hotel workers in the United Arab Emirates. The report also notes that phishing attacks targeting global travelers have spiked 900% since the start of 2024, a trend that has put millions of booking platform users at increased risk.
Australian fraud monitoring agency ScamWatch adds broader context to this risk: last year alone, more than 65,600 Australian residents lost a combined total of AU$31 million to phishing scams, making this one of the fastest growing cyber threat categories for domestic consumers.