Last updated 1 month ago
Booking.com, the Amsterdam-based online travel agency, confirmed a data breach in which unauthorized parties accessed reservation data belonging to some customers. The incident was disclosed in Check Point's Threat Intelligence Bulletin for the week of 20th April 2026. The number of affected records and the total user population impacted were not disclosed.
The attack vector involved unauthorized access to Booking.com's reservation systems, though the specific initial access method (e.g., credential compromise, vulnerability exploitation) was not detailed. Exposed data types included customer names, email addresses, phone numbers, physical addresses, and booking details. No threat actor or ransomware group was attributed, and no CVEs or MITRE ATT&CK techniques were referenced.
No further post-incident details were provided, such as regulatory notifications, litigation, ransom payments, or remediation milestones.
Unauthorized access to reservation data
Booking.com's breach underscores the critical need for robust access controls and continuous monitoring of reservation systems, particularly for a travel platform handling sensitive customer PII. The exposure of names, emails, phone numbers, and addresses suggests that insufficient segmentation or inadequate authentication mechanisms allowed unauthorized parties to access this data. Implementing strict least-privilege policies, multi-factor authentication for all system access, and real-time anomaly detection could have mitigated the risk of such unauthorized data exfiltration.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector