An undisclosed number of travelers who use Hotels.com may have been victims of a phishing scheme. The company said some customers were recently tricked into disclosing their names, phone numbers, email addresses and travel bookings.
An individual was reportedly able to convince customers that they represented either Hotels.com or the hotel where they booked a stay through phony emails and SMS messages, according to an email sent to travelers this morning.
The notice, which stresses that credit card data was not compromised in the incident, goes on to warn users to exercise caution when it comes to clicking on links and transferring money to bank accounts listed in emails from the individual.
One of the more popular booking websites, Hotels.com lists 435,000 hotels in more than 60 countries.
The site is encouraging users that may have been duped into giving their payment information away to contact their banks for further guidance. While details around the scam are slim, the company insists they’ve looked into the incident and reached out to those affected.
“We have investigated this phishing incident thoroughly, and impacted customers are being or have been notified and advised of any appropriate action they may need to take,” Ingrid Belobradic, a consumer and corporate PR manager with Expedia, Hotels.com’s parent company, said when reached Wednesday.
It’s still unclear exactly how the individual was able to collect the email addresses of Hotels.com customers in the first place or exactly when they carried out the phishing.
Belobradic said that as a result of the incident, as an enhanced security measure, Hotels.com went ahead and implemented multifactor authentication between their hotel partners. It also distributed “various education mechanisms” to prevent future fraud to its partners this week.
Unsuspecting travelers who stay at hotels are consistently a prime target for hackers.
A CSRF vulnerability caught just in time could have exposed the personal information of Hilton Worldwide customers, including email address, physical addresses, and the last four digits of any credit card number they had on file, earlier this year. A breach in March due to “undetectable malware” affected both European and U.S. travelers who stayed at an “isolated number” of Mandarin Oriental hotels.
White Lodging, a development company in charge of managing the Hilton, Marriott, Sheraton and Westin chains, was actually hit by a breach twice – once in 2013 and again in 2014. Both incidents leaked guests’ credit and debit card information, including security codes and card expiration dates.
The Hotels.com scam sounds similar to one that plagued Booking.com last fall. Travelers were reportedly tricked into giving money to attackers who claimed they represented the website last November. In that case Booking.com claimed criminals were able to obtain customer details by sending messages to hotels to gather guest’s details.
Roughly 243,000 Hotels.com customers were told to keep tabs on their personal data almost a decade ago when an Ernst & Young auditor had a laptop containing their personal information stolen from his car. The laptop included the names, addresses and credit card information of about customers who had stayed at hotels in 2004.