When convenience becomes risk: what the Booking.com hack means for business travel
The latest Booking.com cyber incident is a stark reminder that convenience in travel booking often comes with hidden risk. Hackers didn’t just gain access to customer data - they used it, leveraging real booking details, names and contact information to send highly convincing phishing messages posing as hotels and requesting payments or verification. This wasn’t a generic scam; it was targeted, timely and highly contextual.
That is what makes this incident particularly concerning. Because the attackers had access to genuine reservation data, their messages arrived at exactly the right moment and appeared entirely legitimate. For the traveller, there is often no obvious red flag. Even experienced business travellers would find it difficult to distinguish between a real request from a hotel and a fraudulent one, especially when travelling, under pressure or managing a busy schedule.
This exposes a much broader issue within business travel. When employees book through consumer platforms, they are operating within a fragmented ecosystem where the booking platform, the hotel and the communication channels all sit independently of one another. Responsibility for validating information and making the right decision ultimately falls to the traveller, but without the tools, visibility or support to do so with confidence.
Duty of Care
For businesses, this is no longer just a cybersecurity concern - it is a clear duty of care issue. Travellers are being placed in situations where they must make real-time decisions about financial transactions and data security, often in unfamiliar environments. If something goes wrong, there is no single point of accountability, and resolving the issue becomes both complex and time-consuming.
As Scott Pawley, Managing Director at Global Travel Management, explains:
“This is exactly the kind of risk businesses introduce when they allow travel to sit outside a managed programme. Consumer platforms create a false sense of simplicity, but behind the scenes you have multiple systems, multiple suppliers and no single point of control.
That fragmentation is where risk lives - whether that’s cyber threats, booking errors, compliance gaps or travellers simply not knowing who to trust. A properly managed travel programme brings everything into one secure, accountable environment. It removes the guesswork for the traveller and gives the business full visibility and control.
Quite simply, if you’re relying on unmanaged channels for business travel today, you’re accepting a level of risk that most organisations wouldn’t tolerate elsewhere”.
This is where the difference between unmanaged and managed travel becomes critical. A managed travel programme replaces fragmentation with structure and control. Booking channels are consolidated and vetted, reducing exposure to compromised suppliers or unauthorised listings. Traveller communication is standardised and trusted, rather than relying on ad-hoc messages from unknown sources. Most importantly, traveller data is managed within a secure, controlled environment, rather than being distributed across multiple third-party systems.
Just as importantly, support becomes immediate and accountable. If a traveller receives a suspicious message or something doesn’t look right, they are not left to make that judgement alone. They have a single, trusted point of contact who can verify, advise and resolve the situation quickly.
The Booking.com incident is a clear signal that cyber threats in travel are evolving. Attackers are no longer just targeting systems - they are targeting journeys, using real data to exploit real moments of vulnerability.
For businesses, the question is no longer whether these risks exist, but how they are being managed.
Now is the time to review your travel programme and ensure it is built not just for convenience, but for control, security and traveller protection.
