Confidential booking.com booking information is being used to defraud customers – Ars Technica

For nearly five years, Booking.com customers have been on the receiving end of a series of scams that clearly show criminals have access to travel plans and other personal information customers provide to the travel site.

One of the most recent shocks came from an Ars reader who asked not to be identified by his real name. A few months ago, Thomas, as I call him, saved up and paid for a two-night stay at a hotel in Italy this July. Here is the legal position:

Last week, out of the blue, he received two emails. The headers show that the original message came from the real Booking.com domain. He was sent on behalf of a hotel in Italy and asked for an unavailable confirmation key to be pressed for his next stay. The hotel also informed him that it will transfer all bookings made from that address to your account. Phishing-looking, the email includes his full name, reservation confirmation number, actual hotel name, and date of stay.

A second email purported to be sent by Booking.com on behalf of the hotel, but the headers show that it was actually sent by a yandex.net address. The email includes the aforementioned verification key, which redirects to a URL generated by the Russian shortening service nah.uy.

Clicking the confirmation button led Thomas to the exact copy of the Booking.com website. He also showed his name, date of stay and hotel, exact price paid and instructed him to enter his payment card.

Thomas then received a WhatsApp message sent to the number Booking.com had on file for him. It was saved as a message from the booked hotel and asked if he would like parking during his stay.

Thomas has not shared any of his travel details online. That means the personal information in the emails sent by these scammers comes directly or indirectly from booking.com. It is not known exactly how the scammers got it.

At this point, it’s easy to break the puzzle into a neutral slide. Web searches, however, show that scams with nearly the same elements have been repeated for at least five years. In this 2018 thread, a Reddit user reported receiving an email stating that their reservation on booking.com had been canceled because the credit card they used to make the reservation could not be processed.

These scammers had a valid confirmation number and a valid payment for the reservation. A Reddit user pointed to this article: Booking.com customers targeted by WhatsApp and text scams. It has been reported that several hotels have been targeted by WhatsApp messages trying to steal large sums of money from customers. The messages contain names, addresses, phone numbers, confirmation numbers, and reservation dates and prices.

Booking.com told the publication that there was no compromise on booking.com’s systems, but that “a few properties have had their accounts compromised by phishing emails sent by cybercriminals and by clicking on those emails.” “All potentially affected guests have been notified,” the company added.

Web searches show that after the article and Reddit thread was released in June 2018, the same scam has been played repeatedly over the years and continued until this month. Here are some of the results:

Is Booking.com Hacked (And Not Telling Anyone)? – InsideFlyer

France Hotels on Booking.com – Hotel Association – UrduPoint

Booking.com customers fall victim to phishing scams – Tourism Travel Vacations

Booking.com fined $560,000 for GDPR data breach. Daily Swig

The hotel booking platform has extracted user data from top online booking sites.

The Dutch data protection authority fines Booking.com over the risk notification – Security Week

Booking.com Phishing Scam Targets Unsuspecting Customers – Merrimack County Savings Bank

Is this booking.com related scam or legit? : Scams

Booking.com Scams: Scams

Booking.com Targeted By Hackers In WhatsApp And Text Scams – Latest Advice | Travel news | travel | Express.co.uk

Is booking.com a scam? : Scams

I tried to scam a fake hotel I booked on booking.com via WhatsApp. : Scams

Is this a scam? Booking.com: Scams

Through booking.com I found an unusual scam: Scams

Could this be a scam – has anyone seen or heard of a scam like this? : Scams

When I pointed out the five years of repeated fraud to Booking.com representatives and asked for comment, they responded almost verbatim to the 2018 article.

At Booking.com, the safety and data protection of our customers and hosting partners is a top priority.

We have been informed that some accommodation partners have been targeted by phishing emails, which unfortunately caused their systems to crash. While the security breach was not on booking.com, we are aware that the accounts of some of our accommodation partners were affected. To help reduce the risk, these accounts were quickly suspended by Booking.com and our teams are actively supporting these accommodation partners to keep their listings on the platform quickly and safely. As our security teams continue to investigate this issue, we are actively supporting any affected customers.

The statement offered general practical advice for Booking.com customers to stay safe, but none of the advice would have prevented the scams I requested.

This is not the first time that the security of third-party partners has exposed personal information to users of travel booking services. In the year In 2020, researchers from a company called Website Planet reported that they had access to data collected over the past seven years for more than 100,000 people who use Booking.com and at least seven other online booking services:

• Agoda
• Amadeus
• Expedia
• Hotels.com
• Hotel beds
• Omnibus
• Saber

The information leaked in that incident included full names, email addresses, national ID numbers, phone numbers, number of hotel guests, credit card details, total cost of hotel reservations and reservation details. Website Planet said the data was collected and stored in an unstructured Amazon S3 bucket by Spain-based Prestige Software, which sells a channel management platform to hotels. While this breach affects customers of several booking services, web searches show that these types of data breaches continue to disproportionately affect Booking.com users compared to its competitors.

Five years later, it’s difficult to understand how the laxity in booking.com’s partner network can continue to leak personal data, leaving customers open to fraud and other forms of fraud. The company’s insistence that its systems were not breached is of little comfort to those affected. There is no doubt that travel sites are immune from partner infringement, but empirical evidence shows that Booking.com customers are the most targeted. Until Booking.com comes clean, people are better off booking travel using a different site.