Following reports that Booking.com suffered a data breach exposing customer booking details, a cybersecurity expert warns this type of incident could significantly increase highly convincing travel scams.
According to NordVPN’s Adrianus Warmenhoven, even limited data exposure can have serious real-world consequences for travellers:
“This type of breach is particularly dangerous not because of financial data, but because of context. When attackers gain access to booking details, such as names, travel dates and accommodation information, they can craft highly convincing, personalised scams that are much harder to detect.”
“Imagine receiving a message that references your exact stay, dates and property – it immediately feels legitimate. This is exactly what cybercriminals rely on. We expect to see a spike in phishing emails, fake payment requests, and ‘verification’ messages targeting affected users.
“Travel-related data is especially sensitive because it introduces a time element,” Warmenhoven adds. “Scammers know exactly when you’re due to travel, which makes their messages feel urgent and legitimate – whether it’s a ‘problem with your booking’ or a ‘last-minute payment request’.
“If you’ve recently booked travel, be extremely wary of any unexpected communication asking for payments, verification, or personal details – even if it appears to come from a trusted source. Always verify directly through official platforms, not links or phone numbers provided in messages.”
Warmenhoven offers key tips for travellers:
- Avoid clicking on links in unexpected emails or messages about bookings;
- Never share payment details via email, SMS, or messaging apps;
- Verify requests by logging into official platforms directly; and
- Watch for urgency tactics or last-minute “issues” with reservations.
Richard Ford, group chief technology officer at Integrity360, points out that the scale of Booking.com means this breach has the potential to impact a huge number of people, even without financial data being exposed.
“The real risk comes from the detail around bookings,” he says. “That information allows attackers to create highly convincing messages, whether that’s a WhatsApp, email, or phone call that feels completely legitimate.
“What makes this more dangerous is how normal these interactions already are,” Ford adds. “Customers are used to receiving links for check-in, property details, or follow-ups after a stay. That creates an easy path for attackers to slip in malicious links that can steal information or compromise devices.
“This isn’t limited to upcoming trips either. Past bookings can be used to send believable follow-up messages, which many people are less likely to question.”
He says the safest approach is to avoid clicking on links in unexpected messages and go directly to the Booking.com app or website to check any communication.
“For businesses, it underlines how quickly exposed data can be used to target customers in ways that are difficult to distinguish from genuine contact.”