How Hackers Are Stealing Guest Data from 350+ Hotels Worldwide

More than 350 hotels, vacation rentals, motels, and guesthouses across 50 countries have had customer data accessed through reservation hijacking scams, according to Norton security company analysis published on May 28, 2026. Cybercriminals are targeting booking details and personal information to craft convincing phishing messages — emails or texts designed to trick people into giving up credit card numbers and other sensitive information.

Where the Attacks Are Happening

Germany has the most affected properties, followed by France, the UK, Italy, Spain, and the United States. These countries are home to major tourist destinations and developed economies. The attacks have hit small and independent hotels much harder than large hotel chains.

This makes sense when you look at security resources. Big chains invest heavily in cybersecurity technology and staffing. Smaller hotels often lack dedicated IT teams and rely on third-party booking platforms or property management software — the systems that handle reservations and operations — without much oversight of how secure those systems really are. With thousands of independent hotels managing their own reservation systems, attackers have a huge target to work with.

How the Attack Works

The attackers gather legitimate booking details: guest names, reservation numbers, check-in dates, and phone numbers or email addresses. They then use this real information to craft phishing messages that look like they're coming from the hotel.

What makes this effective is that the attackers know details about the booking that only the hotel and guest should know. A traveler who receives an email about their upcoming reservation — with their correct name, dates, and confirmation number — is more likely to trust it and click on a malicious link or enter payment information. The attacker has solved the credibility problem that catches most phishing attempts.

The timing matters too. Messages arrive claiming to be payment confirmations, booking updates, or requests to verify information. Travelers are naturally anxious about accommodations, so they tend to respond quickly without thinking twice.

Why Hotels Are Vulnerable

Hotels use property management systems (PMS) and customer relationship software to run their operations, but these platforms were often built with convenience and speed in mind, not strong security protections. Guest data moves through many different systems and companies: online travel agencies like Expedia, the hotel's own booking website, payment processors, and the hotel's internal systems. Each connection is a potential weak point where hackers can slip in, and most hotels don't have full visibility into how their data flows through all these systems.

We have seen this pattern before, when retail stores faced similar problems during the early days of online shopping. Major retailers were hit with credit card breaches in the 2010s because they prioritized fast transactions over security. The hospitality industry is following a similar path now, but with added complications — hotels operate internationally and have to deal with different privacy laws in different countries.

What This Means for Security Teams and Travelers

Here is what stands out: this is not a random attack on a few hotels. It is organized, happening across multiple countries at once, and targeting the hospitality sector specifically. Companies that book travel for their employees should think carefully about the security practices of the hotels they use.

The way attackers are using stolen booking data also shows a shift in how cybercriminals think about stolen information. They are not just grabbing data and selling it immediately. Instead, they are using it for more sophisticated follow-up attacks — phishing campaigns — that might happen weeks or months after the initial breach. Traditional approaches to data breaches — notifying people and offering credit monitoring — may not fully address this extended threat.

The targeting pattern suggests that attackers are doing reconnaissance first, scanning hotel booking systems for common software vulnerabilities and checking which hotels might have weaker defenses. For travelers, the lesson is simple: if you get an unexpected email or text about your booking, verify it by calling the hotel directly or visiting the official hotel website rather than clicking links in the message. Even accurate booking details do not prove the message is real.

Looking forward, this incident will likely push hotels to invest in better ways to authenticate messages to guests and stricter rules around how reservation data is handled and shared. The financial hit of losing guest trust, combined with tighter data protection regulations in many countries, creates real pressure for change. Beyond individual hotel security measures, the hospitality industry could benefit from sharing threat information across the sector — letting small, independent hotels learn from attacks on others and giving them access to defensive tools that previously only large chains could afford.