Last Update: 06/03/2026 at 4:25 AM EST
Booking Data Breaches And Exposure
Coverage from WebProNews, AOL.com, and others
Articles
40
Latest Article
05/31
Active Days
2740
Executive Summary
Recent coverage shows repeated exposure of travel-related personal data, especially booking records and identity documents, with Booking.com and a third-party UK visa portal both highlighting weak disclosure, phishing risk, and vendor security failures. The pattern is operational rather than abstract: reservation PIN resets, customer notifications, breached passport files, and uncertain access scope dominate the current signal.
Key Points
- Booking.com incidents dominate the current signal, with unauthorized access to reservation-linked personal data and repeated PIN resets used as a containment step.
- The exposed booking data is usually not financial data, but it is detailed enough to support phishing, impersonation, smishing, and social engineering.
- A third-party UK visa portal reportedly exposed passport scans, selfies, and contact details in unsecured cloud storage, widening the topic beyond one platform.
- Vendor and partner weaknesses are a recurring pattern: incidents often originate through third-party access, phishing, or poorly secured storage rather than direct consumer-facing compromise.
- Disclosure remains incomplete in multiple cases, with companies withholding affected-user counts, timing, or technical scope while notifying users after detection.
- The privacy risk is not just exposure itself but reuse of travel identity data, especially reservation details, passport numbers, and location-linked images.
- Historical Marriott and Booking.com incidents suggest this is an ongoing operational problem in travel data handling rather than an isolated event.
Featured Article
Booking.com confirmed a Sunday evening data breach after suspicious activity potentially exposed reservation and contact data for some guests.
Coverage Timeline: 2740 Days
Hover over any logo to see coverage summary, click for full article.
Additional Articles
⭐⭐⭐⭐⭐
Anurag Sen reported a long-running public Amazon S3 exposure of Reqrea's Tabiq hotel identity documents and facial verification photos, prompting rapid containment.
Booking.com disclosed a breach after suspected third party access to reservation data, prompting customer notifications and PIN updates.
KasadaIQ reported Booking.com reservation data exposure and described Dabai Guarantee Telegram marketplaces as AI-driven fraud markets expanded in Q1 2026.
Booking.com reported a third-party incident involving unauthorized access to some reservation records and issued PIN code changes after containment actions.
Reqrea’s Tabiq hotel check-in platform exposed over one million passports and selfie verification photos online after an Amazon cloud bucket misconfiguration was discovered in Japan.
Booking.com disclosed a data breach in which personal data such as names, addresses, and reservations were exposed, raising risk of personalized phishing scams.
Reqrea secured a misconfigured Amazon cloud storage bucket after researcher Anurag Sen and TechCrunch alerted JPCERT to worldwide exposure of passport and ID documents.
Researchers reported a data leak in the UK Visa Portal third-party travel authorization website in the UK, exposing up to 100,000 identity documents in public cloud storage.
TechCrunch reported a third-party UK visa portal exposed at least 100,000 passport scans and GPS-bearing selfies on a public Amazon storage server before bucket security.
Booking.com reported a reservation-data breach and introduced new reservation PINs after suspected hacker access potentially exposed customers in affected reservations.
Booking.com confirmed unauthorized access to customer booking data after partner-targeted phishing and spoofed emails, with alerts and reservation PIN updates following containment.
Booking.com confirmed in April 2026 that unauthorized third parties accessed reservation data, exposing PII used for targeted phishing and impersonation.
Booking.com notified customers on 13 April 2026 that compromised hotel-partner accounts enabled reservation-data access used for reservation-hijack payment scams.
⭐⭐⭐
Booking.com notified customers after discovering unauthorized third-party access to some booking information, updating reservation PINs, and reporting no financial data access.
BWH Hotels disclosed April 22 detection of a third-party intrusion exposing guest identity and reservation data dating to October 14, 2025, affecting hotel customers while omitting payment data.
Booking.com said unauthorized third parties may have accessed reservation-associated information, prompting PIN resets and direct email alerts to impacted users.
Booking.com confirmed a reservation-data breach after unauthorized access to booking information, notified customers, updated PINs, and warned about reservation hijack fraud scams.
Booking.com disclosed unauthorized access to reservation-linked traveler personal data over the weekend and began notifications while stating payment data was not exposed.
Gîtes de France reported a cyberattack affecting up to 389,000 European clients after May 18 breach notifications in France.
Booking.com confirmed an unauthorized reservation-information breach and warned travellers about phishing messages using booking details delivered via email and WhatsApp.
Booking.com reported a potential customer data breach in the Netherlands, after UK users reported phishing emails and messages aimed at password resets.
Booking.com notified customers in response to a suspected data breach involving unauthorized access to reservation-linked personal information, while stating payment data was not accessed.
BWH Hotels disclosed between October 2025 and April 2026 unauthorized access to a guest reservation web application, exposing names, contact details, and booking information.
Booking.com confirmed a data breach on 2026-04-12 affecting reservation details and contact information, while stating payment information was not accessed.
Booking.com notified users in the 2020s after suspicious activity tied to reservations may have exposed booking and contact details, leading to PIN resets and phishing warnings.
Booking.com notified customers after suspicious activity raised concerns about unauthorized access to reservation contact details, with notifications and reservation PIN updates following the discovery.
Booking.com notified travelers of unauthorized access to booking data, issued new PINs, and left breach scope and remediation details unspecified.
Booking.com confirmed in the 2020s that unauthorized third parties accessed reservation-linked customer data, triggering containment, PIN updates, and guest notifications.
Booking.com confirmed a Sunday evening data breach after suspicious activity, warning that unauthorized third parties may have accessed customer reservation details and notifying affected guests.
Marriott discloses a data breach affecting up to 500 million Starwood guests dating back to 2014 in the online booking system.
On April 13, 2026, Booking.com confirmed unauthorized access while Anodot and OpenAI faced cloud and supply-chain incidents, alongside actively exploited vulnerabilities affecting privacy-relevant data.
Booking.com informed customers via email in 2026 that unauthorized parties may have accessed reservation booking information and updated reservation PIN numbers.
Booking.com reported a reservation hijack on April 13, 2026, exposing user personal data and booking history while stating no financial data access occurred.
Booking.com issued new reservation PINs after unauthorized third parties accessed booking-linked data, enabling impersonation scams via WhatsApp, email, and SMS.
Booking.com reported an April 2026 breach with leaked contact and reservation details that facilitates reservation hijacking impersonation scams.
Booking.com notified customers after suspected unauthorized third-party access to reservation-linked personal data, issued PIN resets and phishing warnings, and said no payment data was accessed.
Booking.com disclosed an unauthorized third-party incident affecting some guests' booking details, detected and contained after suspicious activity, with reservation PIN code resets and user guidance.
Booking.com notified customers after hackers accessed reservation data over a weekend, potentially exposing names and contact details and prompting PIN resets and phishing warnings.
Scammers in San José, Costa Rica used Booking.com reservation data to impersonate Hilton staff and collect payments outside standard booking channels.