With the busy travel season approaching, a data breach at Booking.com is leading to warnings about phishing scams known as “reservation hijacking.”
Amy Warms got an email written in Catalan from Booking.com warning about a data breach that allowed a third party to access booking details, including contact information.
“What I was able to read is like, compromiso, la securidad,” said the Winkler, Man., woman, who has never been to Spain and is not planning a trip there.
“I’ve already logged out. I’ll be going in and changing my passwords and deleting any credit card information.”
The company, which is headquartered in Amsterdam, told CBC News banking information was not part of the data breach, but a spokesperson would not disclose how many people are impacted by the hack.
Booking.com will never ask guests to share credit card details by email, over the phone, Whatsapp or text, and it won’t ask for a bank transfer, said Sage Hunter, a company spokesperson in North American, in an email response.
But some clients say they’ve already been contacted by scammers, asking them to re-confirm their reservation. Others are reporting big unauthorized charges on their credit cards.
Mert Aktas, from Istanbul, Turkey, says he booked a hotel in Greece three months ago. On March 28, he received a “sketchy” WhatsApp message from a Pakistani phone number, which said he needed to click on the link to complete his check-in.
Aktas reached out to Booking.com and was told it must be a hack at the hotel end. After days of communication, the company finally confirmed a data breach.
“I don’t think transparency exists,” Aktas told CBC News, adding he worries about people who are not familiar with technology and phishing scams.
“I was very actually upset for those people who will be getting scammed,” he said. “Also, I was just a bit upset because my information has been stolen.”
“Reservation hijacks” are a more sophisticated version of the traditional phishing scam, according to David Shipley, CEO of Fredericton-based Beauceron Security.
‘Robbers are now high tech hackers’
“They know you’re booking. They wait for it to get close to the date. They email you convincingly that your booking has been cancelled and you need to contact them immediately. That is stressful,” he said.
“Now we’re in panic mode. And that’s when we start to make mistakes that they capitalize on,” Shipley said. “By the time that you see the weird transaction on your credit card, you already just had that stressful conversation where you rebooked your room — but you didn’t. They just stole your information and they stole your money.”
A data breach at travel site Booking.com has left customers vulnerable to a sophisticated scam in which fraudsters pose as hotel staff to get victims to send them money.
Booking.com is one of the biggest accommodation reservation sites in the world. According to its website, nearly seven billion customers have made reservations since 2010. It has more than 31 million listings in more than 200 countries and territories around the world. The company that owns it, also owns OpenTable, Agoda and Kayak.
“It’s a massive, massive platform,” said Max Johnson, a tourism consultant at TTJ Tourism in Winnipeg. He also got an email from Booking.com.
“It’s just an extension of cops and robbers that’s been going since the dawn of man, except the robbers are now high tech hackers and the stakes are much higher,” he said.
“As we put so much more valuable information into the servers of four or five companies … the prize of being able to get into one of these four or five is so great, the resources that are put into hacking get greater every day. And frankly, there’s nothing we’re going to be able to do about it.”
Shipley says Canada is far behind places like Europe when it comes to protecting Canadians from online scams.
He points to the General Data Protection Regulation, said to be the toughest privacy and security law in the world. It levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
“We have been debating for the better part of five years, trying to catch up to laws Europeans passed a decade ago, and that means real meaningful transparent communications from Booking.com to Canadians,” Shipley said.
“And fines. You know, in Europe, [Booking.com] is going to face up to four per cent of their top line revenue as a fine. So that actually gets their attention. It causes them to invest in improving their security,” he said.
“We don’t send the right signals in Canada.”
Feds look to create anti-fraud strategy
In 2018, login details were stolen from hotel employees in the United Arab Emirates, which allowed access to the booking data of more than 4,000 people on the platform. Booking.com reported the breach 22 days late to the Dutch privacy regulator, resulting in a fine of nearly $770,000.
Consultations began last month on a new National Anti-Fraud Strategy the Carney government introduced in its 2025 budget. Plans are also underway to establish a new Financial Crimes Agency this spring, said John Fragos, spokesperson for the federal finance minister, François-Philippe Champagne.
Both are meant to protect Canadians from financial crimes, Fragos said. The anti-fraud strategy takes aim at everyday scams and fraud, while the agency will target large-scale complex crimes and the bad actors behind them.
Click Here For The Original Source.
