Three weeks after Observer Cash revealed that the Booking.com email system had been hacked and that a number of customers had had their credit card details compromised, it has emerged that the website has been sending emails to some customers warning them to cancel their cards. At the same time, others have come forward to say “me too”.
Those affected had either checked in, or were due to check in, to a hotel they had reserved using theBooking.com’s website or app. They had received an email – from the official noreply@booking.com address – warning their stay may have to be cancelled unless they handed over bank card details via an embedded link.
At the time of the original report Booking.com strenuously denied its system had been hacked and, instead, blamed the messages on breaches in the email systems of partner hotels.
This week it emerged Booking.com has been sending out emails warning its customers their card details may have been compromised, although it states this was just where it had uncovered “potentially suspicious activity” on a specific accommodation provider’s account.
Reader IA was contacted this week by the company despite not having made a reservation since June.
The email IA received said: “We recently noticed some suspicious activity from an unknown external device attempting to access certain Booking.com systems, using property logins which may have unfortunately led to unauthorised third parties being able to access your reservation details, including payment card data.”
The company tells Guardian Money that it was aware that “some of our accommodation providers have been targeted by very convincing and sophisticated phishing tactics” which “enables the fraudsters to impersonate the accommodation and communicate with guests via email or messages”.
It says: “We have also been continuously updating and expanding the cybersecurity section of our partner hub to include even more information on malware and phishing.”
In the meantime, the advice is clear: be very suspicious of any emails, or contact, that appear to come from Booking.com or its partner hotels. Don’t follow any account verification links sent out and phone the hotel if asked for an extra payment.
We welcome letters but cannot answer individually. Email us at consumer.champions@theguardian.com or write to Consumer Champions, Money, the Guardian, 90 York Way, London N1 9GU. Please include a daytime phone number. Submission and publication of all letters is subject to our terms and conditions
