Over 350 Hotels Hit by Booking Scam — What Travelers Should Know

A security firm called Norton found that more than 350 hotels, vacation rentals, and guesthouses in 50 countries have been hit by a scam targeting customer information. The criminals steal real booking details and use them to trick people into revealing credit card numbers and personal data.

Where This Happened

Germany had the most affected properties. France, the UK, Italy, Spain, and the United States also saw a large number of compromised hotels, mostly in popular tourist destinations.

Small and independent hotels were hit much harder than big hotel chains. Large chains invest heavily in security, but smaller properties often have fewer IT staff and resources to protect customer information. Many small hotels use booking platforms or management software from other companies without much oversight of how secure those systems really are.

How the Scam Works

The criminals start by stealing booking information: guest names, reservation numbers, check-in dates, and phone numbers or email addresses. Then they use this real data to send fake messages to travelers that look like they come from the hotel.

The scam is clever because the fraudsters actually know real details about the guest's reservation. When a scammer sends an email saying something is wrong with your booking, it feels genuine because they mention specifics only the hotel would know. This makes people less suspicious.

The criminals often time their messages to look like booking confirmations or payment problems. People naturally worry about their hotel reservation when they're about to travel, so they're more likely to respond quickly and less likely to think carefully about whether the message is real.

Why Hotels Are Vulnerable

Most hotel booking systems were built to make reservations fast and easy, not necessarily to be very secure. When a hotel takes a booking, that guest information passes through many different systems: travel websites, payment processors, the hotel's own computer system, and more. Each of these handoff points could be where hackers break in, and most hotels don't have full visibility into all of these connections.

We have seen this pattern before. In the 2010s, large retailers were hit with similar hacks at their payment systems. Back then, companies were focused on processing transactions quickly, and security wasn't always treated as a top priority. The hotel industry is going through something similar now, with the added challenge that hotels operate across different countries with different rules.

What This Means for You

The bigger picture here is that criminals are becoming more organized. This wasn't a random attack on a few hotels — it was a coordinated effort across multiple countries. The scammers likely spent time studying which hotels had weaker defenses before attacking.

The main lesson for travelers is straightforward: if you get an email or text about your reservation that seems odd, don't click links in the message. Instead, call the hotel directly using the phone number from your confirmation email, or log into your account on the hotel's website directly. Real booking details in a message do not mean the message is authentic.

Looking ahead, hotels will likely invest more in security because they need to keep customers' trust. New rules about protecting personal data are also giving hotels more reason to improve. Sharing threat information between hotels and technology companies could also help smaller properties protect themselves better — creating better defenses for independent operators.

The Takeaway

If your booking details are out there, scammers can use them to craft messages that feel legitimate. The fix starts with you: verify any unexpected booking messages through another channel before responding.