The Booking.com Breach: What Small Businesses Need to Know Right Now

On 13 April 2026, Booking.com confirmed that unauthorised third parties had accessed customer booking information, including names, email addresses, physical addresses, phone numbers and details shared with accommodation providers. The Amsterdam-based travel giant has reset reservation PINs and begun notifying affected customers, but has refused to disclose how many people are impacted or exactly how the breach occurred.

If your small business uses Booking.com to manage holiday lets, B&Bs, guest houses or hotel rooms, or if your staff book travel through the platform, this breach affects you directly. Here is what happened, why it matters, and what you need to do about it.

What Was Exposed?

According to notifications received by customers over the weekend, the compromised data includes:

• Full names of guests
• Email addresses linked to bookings
• Physical addresses provided during reservation
• Phone numbers attached to the booking
• Booking details including dates, property names and reservation specifics
• Messages exchanged with the accommodation through the platform

Booking.com has stated that financial data such as payment card numbers and passwords were not accessed. However, the personal information that was exposed is more than enough for criminals to launch highly convincing phishing attacks against both guests and property owners.

Why This Matters for Small Businesses

You might think a breach at a large travel platform has nothing to do with your small business. That is wrong, for three reasons.

1. Your Business Data May Be in There

If anyone at your company has booked business travel through Booking.com in the past year, their name, email, phone number and travel dates may now be in criminal hands. That is enough information to craft a targeted spear-phishing email that looks entirely legitimate — referencing a real trip, a real hotel, and a real date.

2. If You List Properties on Booking.com

Small hospitality businesses — holiday lets, B&Bs, boutique hotels — that list on Booking.com should be aware that previous breaches of this platform have involved compromised partner accounts. In 2024, criminals gained access to hotel administration portals and used Booking.com's own messaging system to send fraudulent payment requests to guests. If your Booking.com partner credentials are not secured with a strong, unique password and multi-factor authentication, you are at risk.

3. Your Customers Expect You to Protect Their Data

Under UK GDPR, if you share customer data with a third-party platform like Booking.com, you remain partly responsible for how that data is handled. If your guests' information has been exposed through a platform you use, they will look to you for answers — and your data protection obligations require you to be prepared.

The Phishing Threat Is the Real Danger

The data stolen in this breach is a phishing goldmine. Criminals now have everything they need to send emails that say:

"We noticed a problem with your reservation at [real hotel name] on [real date]. Please verify your booking by clicking here."

These messages will look genuine because they contain real information. Multiple users on Reddit have already reported receiving scam messages that reference their actual bookings. The messages arrive via email and, in some cases, through Booking.com's own in-app messaging system, making them even harder to distinguish from legitimate communications.

This is not theoretical. Booking.com itself reported in 2024 that phishing attacks targeting travellers had risen by 900 per cent, driven partly by criminals using AI to craft more convincing messages. This breach gives those criminals fresh, accurate ammunition.

What You Should Do Right Now

For All Small Businesses

• Alert your team. Tell every employee who may have booked travel through Booking.com to watch for suspicious emails referencing their trips. Do not click links in any message that claims to be from Booking.com — go directly to the website or app instead.
• Change passwords. If anyone uses the same password for Booking.com as they do for work accounts, change those passwords immediately. Use a password manager to generate unique credentials for every service.
• Enable multi-factor authentication (MFA). Turn on MFA for Booking.com accounts and every other business-critical service. This is the single most effective step you can take to prevent account compromise.
• Review your email security. Ensure your business email has SPF, DKIM and DMARC configured correctly. These controls help prevent criminals from spoofing your domain in phishing campaigns.

For Hospitality Businesses Listed on Booking.com

• Secure your partner portal. Change your Booking.com extranet password immediately. Enable MFA if you have not already done so.
• Monitor your messaging. Watch for any messages sent through the Booking.com platform that you did not write. If criminals gain access to your partner account, they can message guests directly.
• Warn your guests proactively. Consider sending a brief, honest message to recent and upcoming guests explaining that Booking.com has disclosed a breach and advising them to be cautious of unsolicited messages asking for payment or personal details.
• Review your data sharing. Understand what guest data you share with Booking.com and whether you hold copies locally. Document this as part of your GDPR records of processing activities.

A Pattern, Not an Incident

This is not the first time Booking.com has been involved in a data breach. In 2018, criminals used phone scams to trick hotel staff in the UAE into revealing their Booking.com login credentials, exposing the data of over 4,000 customers including credit card details. Booking.com was subsequently fined €475,000 by the Dutch Data Protection Authority — not for the breach itself, but for reporting it 22 days late, far beyond the 72-hour notification window required under GDPR.

The pattern is clear: travel platforms hold enormous quantities of personal data, and they are a persistent target for criminals. Small businesses that rely on these platforms need to treat third-party risk as seriously as they treat their own internal security.

The Bigger Lesson: Third-Party Risk Is Your Risk

Every platform you share customer data with is an extension of your attack surface. When a platform is breached, your customers' data is exposed — and your business reputation is on the line. This applies to Booking.com, but it equally applies to every SaaS tool, payment processor, email marketing platform and cloud service your business uses.

The practical steps are straightforward:

1. Know where your data lives. Maintain a simple register of every third-party service that holds your customer or business data.
2. Minimise what you share. Only provide the minimum data required. If a platform does not need a phone number, do not provide one.
3. Secure every account. Unique passwords and MFA on every platform, without exception.
4. Have a response plan. Know what you will do when (not if) a third-party service you use is breached. Who will you notify? What will you tell customers?

If you are unsure where to start, our cyber security plans are designed specifically for small businesses and include third-party risk guidance alongside practical tools to protect your business.