ctipilot.ch

Dutch/Belgian/Irish booking-SaaS breach

incident · incident:dutch-hotels-booking-saas-breach-2026

Shared booking-SaaS breach exposes guests at 100+ Dutch, Belgian and Irish hotels, feeding a phishing wave.

Coverage timeline
1
first 2026-06-01 → last 2026-06-01
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
weekly-incidents-recap
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-01Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation
    weekly-incidents-recap

Where this entity is cited

  • weekly-incidents-recap1

Source distribution

  • dutchnews.nl1 (50%)
  • ncsc.admin.ch1 (50%)

explore in graph

Entries about Dutch/Belgian/Irish booking-SaaS breach (1)

2026-06-01 · view entry permalink →

NOTABLE

Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation

NCSC-CH's Week 22 report (4 June; daily 2026-06-04) documents two phishing variants exploiting real booking data leaked in the April 2026 Booking.com compromise: Variant 1 — fake WhatsApp refund lure → TWINT/Swiss-bank-portal credential harvest; Variant 2 — attackers using compromised hotel booking-system credentials to message guests through the legitimate booking channel, demanding urgent card re-verification. Variant 2 breaks user-awareness controls because the message originates from a trusted platform (NCSC-CH). In the same window, a separate upstream booking/channel-management SaaS layer breach exposed guest reservation records (names, contacts, arrival/departure dates) for guests at more than 100 Dutch, Belgian and Irish hotels; criminals are already sending contextually accurate "confirm your reservation" phishing referencing real upcoming stays (DutchNews.nl). The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has opened a GDPR investigation; Art. 33/34 notification clocks are running for each hotel as an independent controller.

incident01 Jun 05:00Zmulti-sourceOpen finding ↗