Scammers target leading online travel agent Booking.com

By Bob Howard Reporter, Money Box

7 November 2014

Online travel agent Booking.com has admitted that it has had to compensate customers whose personal details have been stolen.

Guests booking hotel rooms have unwittingly handed over money to criminals.

By accessing Booking.com reservations, the crooks have been able to obtain contact details to send customers demands for prepayment.

Booking.com is one of the biggest online travel agents. The Netherlands-based firm boasts on its website that every day customers book 700,000 room nights in more than 200 countries.

Bogus emails

They had everything like the reservation number, names of guests and the logos looked accurate Claire Coldwell, Booking.com customer

Claire Coldwell from West Yorkshire used Booking.com to book hotel rooms for her and her colleagues who were attending a trade fair in London.

She expected to pay at the end of her stay, but then she received emails and calls that said something different: "I got an email supposedly from Booking.com saying that, because of the unusually high demand for those dates, the Hilton had taken the decision to ask for prepayment in full for the whole week."

That would have meant Claire paying £3,000 in advance.

Claire then got an email supposedly from the Hilton requesting the same thing: "They had everything like the reservation number, names of guests and the logos looked accurate."

Claire was suspicious, not least because the email referred to an airport transfer and her group were going to London by train.

So she phoned Booking.com and was told to ignore the emails because the company never asked for payment up front.

Fraud alert

If you are asked to make a payment which differs to your policy via bank transfer or other means, please do not make a payment Booking.com

It then sent an email to Claire that confirmed this had been an attempt to steal her money by criminals: "We have been informed that scammers are targeting some customers in an attempt to gather data. If you are asked to make a payment which differs to your policy via bank transfer or other means, please do not make a payment."

Whoever we spoke to were not aware of the situation Ramesh Siram. General manager, Shoreditch Inn

But some customers have been targeted in an identical way since at least August, and have paid up.

Jane from Niagara Falls in Canada used Booking.com to reserve a room for a four-day stay in London.

She too received an email purporting to be from Booking.com but she had no reason to believe it was anything other than genuine: "It looked very authentic. I fell for it. We paid approximately 1,500 Canadian dollars, around £700 sterling."

She complained to Booking.com and it refunded her.

Peter Kornelisse, chief security officer at Booking.com, said the firm was on top of the problem: "We estimate around 10,000 people are affected. We are protecting our customers, hotels and Booking.com continuously. We have a battle against organised crime. We've made technical improvements in several areas. "

Booking.com said that once it noticed that a guest was affected by phishing activities, it immediately notified that individual guest.

It said its dedicated security teams were also working to contact and support accommodation partners who may have been affected by this situation.

But Ramesh Siram, the general manager of the Shoreditch Inn in London, felt Booking.com was slow to appreciate the scale of the problem: "We tried to contact them many times and all of the customer service agents, whoever we spoke to, were not aware of the situation. That's not really great or helpful for us. We needed to profoundly apologise to them, even though it's not our mistake."

Eventually, he said the hotel received an email from Booking.com warning about the attacks and asking it to be vigilant.

The British Hospitality Association, which represents the hotel industry, confirmed to Money Box this week that it knew of eight hotels where customers had had similar problems.

And Booking.com has told us customers from the UK, US, France, Italy, the UAE and Portugal had all been affected.

Those that have lost money have had it refunded.

Security issues

When told of this problem, Rik Ferguson from internet security firm Trend Micro, decided to test the Booking.com system.

They should be taking the utmost care in protecting the access to this information Rik Ferguson, Vice-president of security research, Trend Micro

By registering as a fictitious hotel, he found you could access the system with a log-in and password.

He says if these log-in details were obtained, customer security would be compromised: "With a site like Booking.com, the fact that they deal with millions of people's personal and financial information means they should be taking the utmost care in protecting the access to this information. If it's just a simple user name and password, that's not the utmost care."

Booking.com has insisted it is not the victim of a data breach but that criminals are obtaining customer details by sending messages to hotels to acquire guest details.

Peter Kornelisse said Booking.com was doing its best to warn customers but the fraud threat was constantly evolving: "We do inform customers to a certain extent. We can warn today about a specific scenario that takes place and the next moment we have a different scenario. We contacted all the guests who are affected by the phishing attacks and we took the burden of our guests."

Hilton and other hotels Money Box has spoken to have strongly denied the frauds are the result of a breach of their systems or websites.

A Hilton Worldwide spokesperson said: "Our initial investigation has found this incident is not the result of a breach of Hilton systems or websites. We have asked Booking.com to ensure their investigation is thorough and appropriate action is taken. Guests who have received suspicious emails should contact their booking provider immediately and not respond to these emails."

Since the fraud, Booking.com has made changes so data can only be accessed from a computer linked to the hotel's server.

Its teams have also worked to "take down" dozens of phishing sites, as well as working with some banks to freeze the money mule bank accounts.

Money Box is broadcast on Saturdays at 12:00 BST on BBC Radio 4 and repeated on Sundays at 21:00 BST. You can listen again via the BBC iPlayer or by downloading Money Box podcast .

Have you been affected by the bookingsecurity breach? Let us know your views