Booking.com, an online travel agency and metasearch engine, has informed several clients that their personal information may have been compromised due to a data breach.
A few South African users also experienced the impact. It said, “At Booking.com, we’re committed to the security and data protection of our guests.”
“In keeping with that, we’re writing to let you know that some booking information related to your reservation may have been accessed by unauthorized third parties.”
According to the company, it recently discovered suspicious activity impacting several reservations and acted right away to contain the problem.
According to the results of our investigation thus far, booking details, names, emails, addresses, phone numbers, and any other information you may have shared with the property could be accessed.
In order to protect customers’ reservations, Booking.com claimed to have modified reservation PINs. Additionally, it suggested that consumers adopt additional safety measures.
Installing antivirus software and being particularly cautious of phishing and spearphishing efforts were among the general recommendations.
Booking.com began as a modest Dutch start-up in Amsterdam in 1996 and has since expanded to become one of the leading online travel agencies in the world.
Booking.com bills itself as a technology firm that connects millions of travellers to a range of transportation alternatives and unforgettable vacation experiences.
It enables private persons to market their residences or additional apartments on the platform in addition to guesthouses and hotels.
It said, “Booking.com enables properties around the world to reach a global audience and grow their businesses.”
More than 28 million lodging listings, including more than 6.6 million homes, apartments, and other unusual places to stay, are available on the platform in 43 languages.
Booking.com did not specify the number of individuals or listings impacted by the breach or provide any other indication of the incident’s scope.
Some members of the press had questioned Booking.com about the number of South African users impacted and whether it will report the breach to the Information Regulator. It refused to respond to our inquiries.
Rather, it restated the details of the notice it gave to visitors regarding the modification of their booking PINs. “We took action to contain the issue after discovering the suspicious activity,” a representative stated.
Each month, 284 breach notifications are sent to the Information Regulator. According to cybersecurity company Palo Alto Networks, a threat actor breaches a South African organization every three hours.
Data breaches are on the rise in South Africa, where they have increased by 60% in just the first half of 2025.
A new cyber extortion outfit known as XP95 compromised three South African organizations in March 2026. The three attacks involved the theft of student and job seeker data.
Following a successful attack on the Gauteng Provincial Government, the most recent victims were Statistics South Africa and the Gauteng City Region Academy (GCRA), which provides student bursaries.
The context and scam risks as of the start of April 2026 are that this alert is part of an ongoing wave of sophisticated phishing attacks on Booking.com users.
How the scam works is that hackers break into individual hotel admin accounts, not Booking.com’s main system, and then use real customer data to send believable messages through WhatsApp or the official Booking.com app.
And from the hook, scammers create urgency by claiming a payment problem and demanding credit card info or an immediate bank transfer to “secure” the booking.
What South African users should do now is that if a user has an active or recent booking, take these steps on Booking.com app:
Check your PIN – Look for an official Booking.com email about a new reservation PIN.
Verify email senders – Genuine Booking.com emails always come from an @booking.com address (e.g., noreply@booking.com).
Avoid off-platform payment requests – If a hotel asks for payment via WhatsApp or an external link, don’t respond. Contact the hotel directly using a verified number or call Booking.com Customer Service.
Turn on two-factor authentication (2FA) – Add extra security to your account in the settings.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
