Criminals Exploit Hotel Partners to Access Booking.com Guest Data
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — A criminal group known as Storm-1865 has compromised Booking.com guest reservation data by targeting third-party hotel partners with phishing campaigns and malware, enabling scammers to impersonate properties and defraud travelers globally.
The breach, which came to light on April 16, 2026, involved the exploitation of vulnerabilities within the booking platform's network of hotel partners. Investigators determined that the attackers used a phishing campaign dubbed ClickFix to gain initial access to hotel management systems. Once inside, the group deployed malware that allowed them to harvest sensitive guest information, including names, contact details, and reservation dates.
The stolen data was subsequently used to launch sophisticated fraud schemes. Scammers impersonated hotel staff to contact guests, often claiming issues with reservations or requesting additional payment information. Victims were targeted across North America, Oceania, South and Southeast Asia, and Europe. The geographic scope of the attack suggests a coordinated effort to maximize financial gain by exploiting the trust travelers place in established booking platforms.
Booking.com confirmed the incident and stated that it is working with law enforcement agencies to investigate the breach. The company has notified affected partners and is implementing additional security measures to prevent similar attacks. Hotel partners have been advised to review their systems for signs of compromise and to update their security protocols.
The attack highlights the growing risks associated with third-party integrations in the travel industry. By targeting hotel partners rather than the central booking platform directly, the criminals were able to bypass some of the more robust security measures in place at the corporate level. This approach has become increasingly common among cybercriminal groups seeking to access valuable customer data.
Storm-1865 has been linked to other cyberattacks in the past, but this incident marks one of the most significant breaches of guest data in the travel sector. The group is believed to be motivated by financial gain, selling stolen data on dark web marketplaces or using it directly for fraud.
Authorities are still determining the full extent of the data breach and the number of guests affected. Booking.com has not released specific figures on the volume of compromised records. The company is urging travelers to remain vigilant and to report any suspicious communications claiming to be from hotels or booking platforms.
As the investigation continues, questions remain about the long-term impact on consumer trust and the potential for further exploitation of the stolen data. Security experts warn that the stolen information could be used for identity theft or other forms of fraud well beyond the initial scam attempts.
The incident underscores the need for enhanced security measures across the travel industry, particularly for third-party partners who may have less robust defenses than major platforms. Booking.com and its partners are expected to face increased scrutiny from regulators and consumers in the coming months.