Booking dot com? Booking dot Oh no! Wait, I don’t think that’s how the commercial is supposed to go. That might change for the time being, since the reservation giant has notified customers of a data breach, thanks to unauthorized access by a third party.
While financial data wasn’t compromised, enough information was – including names, addresses, reservations and communications between customers and hotels – whereby bad actors could still feasibly concoct all kinds of phishing schemes for unwitting customers. Some customers have indeed already reported being contacted by scammers, and even major charges to their credit cards.
At NetLib Security, we like to stress the importance of encrypting sensitive data so it becomes unusable for phishing and other such scams when hackers reach their target and extract the data from its intended environment.
In the hospitality and tourism industries, such phishing might take a more sophisticated form, like claims of faulty reservations in need of new payment information, or utilizing fake reservation alerts to try and trick people.
More transparent a ploy is hard to imagine. Yet phishing remains an evergreen source of income for bad actors, so clearly they still get plenty of bites on the line from those who aren’t as familiar with the technology or methods. And as the travel season nears, it risks becoming even more lucrative. What would your first instinct be if you were messaged the day before a trip that it had been cancelled, and you needed to contact them immediately?
Booking.com is at the top of the heap of reservation firms. They currently boast listings in more than 200 countries, and share a parent company with other such names as Kayak and OpenTable. A global reach is exactly the type of pedigree attractive to cyber criminals, and they have the tools to pull off their schemes. “It’s just an extension of cops and robbers that’s been going since the dawn of man, except the robbers are now high tech hackers and the stakes are much higher,” says Max Johnson, a consultant for TTJ Tourism.
Higher stakes means higher profits for successful cyber criminals, especially when sensitive data is left unencrypted for their grubby paws. A recent third party breach at Vercel, a web development platform, saw an employee using Context AI and giving it full read access to his Google Drive, unwittingly installing a malicious browser extension. The hacker was then able to exploit this Context AI access into Vercel Google Workspace access, including data that was not encrypted at rest. In the natural course of these stories, the stolen data on BreachForums has since been listed for $2 million.
How long until these organizations take cybersecurity seriously?