PDPC sounds top alert over Booking.com booking scams

PDPC raises highest cyber alert

The Personal Data Breach Surveillance Centre, or PDPC Eagle Eye, under the Office of the Personal Data Protection Committee, has raised its cyber threat warning to the highest level after detecting a wave of online fraud targeting users of Booking.com.

The agency said criminals were using leaked personal data to run targeted scams that were more convincing and more dangerous than the broad-based online fraud schemes seen in the past. 

Real booking details used to deceive victims

PDPC Eagle Eye said the leaked information in the hands of fraudsters included names, email addresses, phone numbers and, most critically, genuine reservation details such as hotel names and stay dates. That has enabled scammers to pose as hotel employees or Booking.com support staff with alarming credibility.

Victims are typically approached through WhatsApp or in-app chat, told there is a payment problem or a credit card issue, and warned that their booking will be automatically cancelled within 12 to 24 hours unless they act immediately.

The next step is usually a phishing link designed to look like an official payment page, or a demand for a deposit to be transferred into a personal bank account. 

Booking.com confirms reservation data breach

The warning comes after Booking.com confirmed earlier in April that unauthorised third parties had accessed some customers’ reservation-related data.

The company said the exposed information could include booking details, names, email addresses, physical addresses, phone numbers and anything guests may have shared with the property.

Booking.com said financial information was not accessed, and it reset PIN numbers linked to affected reservations as a precaution.

Reports of the incident began surfacing around April 13, with customers also being warned to stay alert for phishing attacks. 

Why the scam looks so convincing

The scam has been especially effective because the messages contain real travel information, making them look like genuine communications from a booked hotel or the platform itself. Security reporting has linked the incident to WhatsApp and SMS phishing campaigns built around exact hotel names, check-in dates and booking references.

Some researchers believe the breach may have stemmed from compromised hotel partner accounts rather than a direct intrusion into Booking.com’s central systems, although that mechanism has not been publicly confirmed by the company. 

Five checks for travellers before paying anything

PDPC Eagle Eye urged travellers to go back to their original confirmation email and verify whether the reservation was meant to be paid at the property or charged in advance.

It said customers should never provide card numbers, CVV or OTP codes through chat, and should never transfer money into a personal account.

If anything appears suspicious, travellers should contact the hotel using a phone number found independently from a trusted external source such as the hotel’s official website or Google Maps, rather than using a number sent in a message.

The agency also warned users to watch for PIN reset or unusual login emails and to change their password immediately if such alerts appear. Booking.com customers have separately been advised not to share credit card details by email, phone, text or WhatsApp. 

PDPA duties and complaint channel

PDPC Eagle Eye said operators and digital platforms have a duty under Thailand’s Personal Data Protection Act to maintain the security of customer data.

It added that anyone who spots signs of a personal data breach, or suffers damage linked to the case, can file a complaint with the centre so that an investigation can proceed and legal action can be taken against those involved.