Booking.com has confirmed a data breach exposing guest reservation details — names, addresses, emails, phone numbers, travel dates, and private messages with properties. The company began forcing PIN resets and notifying affected users from 13 April. Initial reporting by TechCrunch and follow-up coverage from Malwarebytes points at a familiar pattern: the data was siphoned not from Booking.com itself, but from compromised hotel partners hit with ClickFix-style phishing. Microsoft has linked the wider campaign, run by a group tracked as Storm-1865, to scraping activity across more than 170 hospitality operators.

For Australian hotels, pubs with rooms, B&Bs, and short-stay operators, this is the real worry. If you accept bookings through Booking.com, your extranet account is a direct target. An attacker who tricks a front-desk or reservations staff member into running a fake “verification” script can sit inside your inbox, see every incoming guest, and then message those guests from what looks like a legitimate property account — demanding “re-verification” of card details or a prepayment to a new account. Guests lose money and blame the hotel, not Booking.com. Under Australia’s Privacy Act, your business is also on the hook for any personal information attackers pulled out of your systems along the way.

The practical steps are unglamorous but work. Enforce MFA on every extranet account — Booking.com, Expedia, Agoda, Airbnb, the lot. Train reception and reservations staff to never run “fixes” pasted into a browser or terminal, and to verify any unusual guest communications by phone using a number they already have on file. Check extranet login history weekly for unfamiliar IPs. Keep an eye on your own email for forwarding rules you didn’t set — that’s the classic sign of a compromised mailbox.

Hospitality IT is our thing. If you’d like help tightening up extranet access, staff phishing training, or email security across your property, our hospitality team can walk you through it.