Mass data breach on over 100 Dutch hotels hits guests

People with hotel reservations in the Netherlands are being sent convincing fake payment requests by criminals who have obtained their booking details, after a data breach that has hit at least 100 hotels.

Hospecs, a firm that operates hotels and supplies services to the sector, confirmed the breach on Tuesday and told broadcaster NOS that the stolen data includes guests’ contact details and their arrival and departure dates.

Shared booking software suspected

It is not yet clear how the attackers got in, but Hospecs managing director Tim Vissers said the weak point probably lies in software used across multiple hotels rather than in the hotels’ own systems.

“Between making a reservation and confirming it, there are several layers,” he told NOS, pointing to the systems that log bookings and set prices. “The leak seems to be in one of those.”

Hospecs said the affected hotels appear to share certain booking, channel-management or property-management systems, though it has not named a supplier while its inquiry continues.

Reports still coming in

At least 100 Dutch hotels have been hit, Vissers said, with further reports arriving from Belgium and Ireland. He estimated the number of affected guests could eventually run into the hundreds or thousands, but said the picture was still being mapped.

“The reports are pouring in,” he said, adding that dozens of phishing messages were going out to hotel customers each day asking them to pay for their reservation.

The Dutch data protection authority AP said it is investigating. Hospitality industry group KHN urged anyone who has booked a room to check the sender of any message carefully.

Latest in a run of breaches

The case is the latest in a run of breaches to hit organisations in the Netherlands this year. Travel platform Booking.com warned customers of a reservation data breach in April.

Hackers have also stolen data this year from telecoms group Odido, medical software firm Chipsoft and nearly all residents of Epe, in Gelderland.

Booking.com customers were targeted with phishing through the platform’s own messaging in an earlier scam that used the same payment-demand tactic.

Guests with a live booking are advised not to act on payment requests sent by message, and to contact their hotel directly through its official channels to check whether a payment is genuinely due.