Hotel Guests Warned After Hackers Access Reservation Information Across Netherlands
332 Mins Read
Hotel guests in the Netherlands are being targeted with convincing fake payment requests after criminals obtained reservation details through a data breach affecting at least 100 hotels, according to a hotel services provider.
Hospecs, a company that operates hotels and supplies services to the hospitality sector, confirmed the breach on Tuesday. The company told Dutch broadcaster NOS that stolen data includes guests’ contact details as well as their arrival and departure dates.
The source of the breach has not yet been identified. Hospecs Managing Director Tim Vissers said the vulnerability likely lies in software used by multiple hotels rather than in the hotels’ own systems.
“Between making a reservation and confirming it, there are several layers,” Vissers told NOS, referring to systems used to log bookings and set prices. “The leak seems to be in one of those.”
Hospecs said the affected hotels appear to share certain booking, channel-management or property-management systems, although it has not identified a supplier while the investigation continues.
Vissers said at least 100 hotels in the Netherlands have been affected, with additional reports coming from Belgium and Ireland. He estimated the number of impacted guests could eventually reach hundreds or thousands as investigators continue to assess the scope of the breach.
“The reports are pouring in,” he said, adding that dozens of phishing messages are being sent daily to hotel customers requesting payment for reservations.
The Dutch data protection authority, AP, said it is investigating the incident. Hospitality industry organization KHN urged travelers to carefully verify the sender of any messages related to hotel bookings.
The breach is the latest in a series of cybersecurity incidents affecting organizations in the Netherlands this year. Travel platform Booking.com warned customers of a reservation data breach in April.
Hackers have also stolen data this year from telecom company Odido, medical software firm ChipSoft and nearly all residents of the Dutch municipality of Epe.
In an earlier scam, Booking.com customers were targeted through the platform’s own messaging system using similar payment-demand tactics.
Guests with active reservations are being advised not to respond to payment requests received through messages and instead contact their hotel directly through official channels to verify whether any payment is required.
