Living

Are travel companies doing enough to protect your booking data?

By Christopher Elliott Elliott Report

Wuri Handayani had just flown from Jakarta to London when her phone buzzed. The message came through WhatsApp from someone calling herself “Christin,” an administrator at Hotel Flair in Salzburg, Austria, where Handayani had made a reservation through Booking.com.

The system couldn’t verify her credit card, Christin wrote. Her room was at risk unless she confirmed her details “right away.”

Handayani clicked the link. By the time she understood what had happened, her card was billed 1,036 euros. The scammers had walked her through a payment that required a one-time password, so her bank treated the charge as authorized and refused to claw it back.

Why these scams know so much about you

The reason the message felt real is that it was built from real information. Security researchers at Norton call this reservation hijacking, a form of targeted phishing where criminals use genuine booking details to make their messages look legitimate.

In a few months of tracking, Norton identified more than 350 compromised accommodations across 50 countries, spanning hotels, hostels, resorts, and guesthouses. The scams work because they lean on details only you and your hotel should know.

The data has to come from somewhere, and the travel industry keeps springing leaks. In April, Booking.com began notifying customers that unauthorized third parties had accessed reservation data.

Here’s the part that should worry you: Travelers reported getting scam WhatsApp messages with accurate booking details before Booking.com even sent its notification. The fraud moved faster than the disclosure of the breach. That’s probably because a team of lawyers vets each disclosure, which can take a while. Criminals have no such reservations.

Booking.com draws a careful line. It denies a direct breach of its own systems and says attackers got in by stealing login credentials from its hotel partners. Whatever you want to call it, the data ended up in the wrong hands.

The cruise business isn’t faring better. Carnival Corporation confirmed that 5,995,277 people were affected by an April breach, according to a notice filed with the Maine attorney general’s office.

The exposed data includes names, addresses, dates of birth, and government-issued ID numbers such as passport and driver’s license numbers. Eurail, KLM, and Air France have all reported breaches in the past year, and like the Booking.com case, most traced back to a third party rather than the company’s own front door.

What the travel industry says

Airlines, cruise lines and hotels claim they’re doing what they can to keep your data safe. Trade groups and executives point to the millions they spend on security and argue that criminals go after the weakest link, usually an independent hotel or a contractor, not the big platform.

The travel business sits on enormous stores of passport numbers, payment cards, and itineraries, and its sprawling supply chains and franchised operations make it a soft target. Holding a platform liable for fraud committed by outside criminals, the argument goes, would raise costs and shrink the supply of cheap bookings.

But is the travel industry doing enough?

And that brings us to today’s question.

And a few follow-up questions …

If you said yes:

  • When a platform’s own customer service says a hotel agreed to a refund, should the platform have to pay if that refund never lands?
  • What, if anything, should booking sites be required to do to vet the security of the small hotels they sell?

If you said no:

How do you protect yourself when the scammer already has your real confirmation number and check-in date?

Once a bank treats a one-time-password charge as authorized, what’s left for the consumer to do?

My take

A company that collects your whole itinerary takes on a duty to guard it. When that data leaks and turns into a weapon aimed at you, “we spend millions on security” is not an acceptable answer.

Handayani’s case shows where the system fails the customer. Booking.com’s own customer service emailed her to say the hotel had agreed to process a refund. That was months ago. She’s still waiting for her money.

Booking.com can argue all day about whether its servers or partners were breached. To Handayani, with a fake message on her phone, that distinction means nothing. The platform held the data, it ran the channel the scammer used, and it made the refund promise. It owns the outcome.

The fix here isn’t complicated. Treat reservation data like the sensitive material it is. When your own staff promises a refund, honor it. (And travelers, don’t treat every message on WhatsApp as gospel truth. It could be a scammer.)

Your turn

Have you gotten an urgent message demanding card verification right after booking a trip? Tell me about it in the comments. These stories are how we push for change, and booking scams are some of the most-read, most-argued pieces we run. What’s the one question about travel privacy you wish someone would finally ask?

Elliott Report

This story was originally published May 31, 2026 at 4:00 AM.

Get one year of unlimited digital access for $159.99
#ReadLocal

Only 44¢ per day

SUBSCRIBE NOW