Up to 10,000 customers of the hotel booking website Booking.com have been the victims of scammers using fraudulently obtained email addresses to steal thousands of pounds, the company has been forced to reveal.
An investigation by the BBC programme Money Box found that fraudsters accessed Booking.com reservations, enabling them to obtain contact details which they used to send customers demands for pre-payment. The security breach is believed to have affected customers in the UK, US, France, Italy, Portugal and the United Arab Emirates (UAE).
The company insisted it is not the victim of a data breach, but that criminals are obtaining customer details by sending messages to hotels to acquire guest details.
This is known as a phishing scam: when criminals acquire sensitive information such as usernames, passwords, and credit card details by sending emails masquerading as sent by trustworthy companies.
In this case scammers gained customers' emails – either from hacking into Booking.com or hotel security systems – and emailed customers to ask for upfront payments for hotel bookings they had made through the site.
Several customers told the BBC they had been targeted by the scammers, and in some cases had been duped into paying thousands of pounds.
Claire Coldwell from West Yorkshire told the BBC that she used had Booking.com to book hotel rooms for her and her colleagues who were attending a trade fair in London, and got an email purportedly from the Hilton Hotel she had a reservation with, asking for £3,000 in advance.
She told BBC News: "I got an email supposedly from Booking.com saying that because of the unusually high demand for those dates, the Hilton had taken the decision to ask for pre-payment in full for the whole week."
Coldwell then got an email supposedly from the Hilton with similar demands. "They had everything like the reservation number, names of guests and the logos looked accurate."
And Jane from Niagara Falls in Canada used Booking.com to reserve a room for a four-day stay in London. She received an email claiming to be from Booking.com, and told the BBC: "It looked very authentic. I fell for it. We paid approximately C$1,500 (£700)." She complained to Booking.com and it refunded her.
Peter Kornelisse, chief security officer at Booking.com, said it was working with hotels to make security improvements and notifying guests that it knew were affected by the phishing scams: "We estimate around 10,000 people are affected. We are protecting our customers, hotels and Booking.com continuously. We have a battle against organised crime. We've made technical improvements in several areas."
But Ramesh Siram, general manager of the Shoreditch Inn, London, said Booking.com was too slow to react to the security breach, and customer service agents were not aware of the problem.
However, Kornelisse insisted that Booking.com customers were informed "to a certain extent".
He added: "We can warn today about a specific scenario that takes place and the next moment we have a different scenario. We contacted all the guests who are affected by the phishing attacks and we took the burden of our guests."
A spokesperson for Hilton Worldwide added: "Our initial investigation has found this incident is not the result of a breach of Hilton systems or websites.
"We have asked Booking.com to ensure their investigation is thorough, and appropriate action is taken. Guests who have received suspicious emails should contact their booking provider immediately and not respond to these emails."
Booking.com, which is based in the Netherlands, says on its website that its customers book 700,000 room nights in more than 200 countries every day.