On April 13, 2026, Booking.com confirmed that unauthorized third parties accessed customer booking information. The company began notifying affected users via email on Sunday evening, stating it had detected “suspicious activity” affecting “a number of reservations.”
What Data Was Exposed
According to Booking.com’s customer notification, the potentially compromised data includes:
- Booking details
- Customer names
- Email addresses
- Home/physical addresses
- Phone numbers
- Any information guests shared directly with their accommodations
What Remains Unknown
Booking.com has not disclosed:
- The total number of affected customers
- Whether payment card details were compromised
- How long the unauthorized access persisted
- The attack vector or method of compromise
- When the suspicious activity began or was detected
- Whether any data was exfiltrated beyond access
The company stated the situation is “now under control” but provided no technical details about containment or evidence collection.
Prior Incident History
This is not Booking.com’s first breach. In 2018, unauthorized access via phishing compromised booking data for over 4,000 customers in the United Arab Emirates. Booking.com reported this incident to Dutch authorities 22 days after discovery, exceeding the GDPR’s 72-hour notification requirement. The company was fined €475,000 by Dutch regulators.
Customer Guidance from Booking.com
The company advised affected customers to:
- Remain alert for phishing scams and suspicious messages claiming to reference their reservations
- Use antivirus software
- Monitor for unexpected contact related to bookings or personal information
