home page
Online travel agency revealed that it was hit by a phising attack in November.

Up to 10,000 customers of the hotel booking website have been the victims of scammers using fraudulently obtained email addresses to steal thousands of pounds, the company has been forced to reveal.

An investigation by the BBC programme Money Box found that fraudsters accessed reservations, enabling them to obtain contact details which they used to send customers demands for pre-payment. The security breach is believed to have affected customers in the UK, US, France, Italy, Portugal and the United Arab Emirates (UAE).

The company insisted it is not the victim of a data breach, but that criminals are obtaining customer details by sending messages to hotels to acquire guest details.

This is known as a phishing scam: when criminals acquire sensitive information such as usernames, passwords, and credit card details by sending emails masquerading as sent by trustworthy companies.

In this case scammers gained customers' emails – either from hacking into or hotel security systems – and emailed customers to ask for upfront payments for hotel bookings they had made through the site.

Several customers told the BBC they had been targeted by the scammers, and in some cases had been duped into paying thousands of pounds.

Claire Coldwell from West Yorkshire told the BBC that she used had to book hotel rooms for her and her colleagues who were attending a trade fair in London, and got an email purportedly from the Hilton Hotel she had a reservation with, asking for £3,000 in advance.

She told BBC News: "I got an email supposedly from saying that because of the unusually high demand for those dates, the Hilton had taken the decision to ask for pre-payment in full for the whole week."

Coldwell then got an email supposedly from the Hilton with similar demands. "They had everything like the reservation number, names of guests and the logos looked accurate." UK

And Jane from Niagara Falls in Canada used to reserve a room for a four-day stay in London. She received an email claiming to be from, and told the BBC: "It looked very authentic. I fell for it. We paid approximately C$1,500 (£700)." She complained to and it refunded her.

Peter Kornelisse, chief security officer at, said it was working with hotels to make security improvements and notifying guests that it knew were affected by the phishing scams: "We estimate around 10,000 people are affected. We are protecting our customers, hotels and continuously. We have a battle against organised crime. We've made technical improvements in several areas."

But Ramesh Siram, general manager of the Shoreditch Inn, London, said was too slow to react to the security breach, and customer service agents were not aware of the problem.

However, Kornelisse insisted that customers were informed "to a certain extent".

He added: "We can warn today about a specific scenario that takes place and the next moment we have a different scenario. We contacted all the guests who are affected by the phishing attacks and we took the burden of our guests."

A spokesperson for Hilton Worldwide added: "Our initial investigation has found this incident is not the result of a breach of Hilton systems or websites.

"We have asked to ensure their investigation is thorough, and appropriate action is taken. Guests who have received suspicious emails should contact their booking provider immediately and not respond to these emails.", which is based in the Netherlands, says on its website that its customers book 700,000 room nights in more than 200 countries every day.