A data breach affecting at least 100 Dutch hotels has exposed guest reservation details and is fueling a wave of convincing fake payment requests targeting customers, hospitality services firm Hospecs confirmed on Tuesday. Managing director Tim Vissers told broadcaster NOS that affected guests could number in the hundreds or thousands, with further reports now arriving from Belgium and Ireland. The Dutch data protection authority (AP) has opened an investigation.
What Happened
Hospecs, a company that operates hotels and supplies technology and services to the wider Dutch hospitality sector, disclosed the breach after a surge of reports from guests receiving fraudulent payment demands. According to Hospecs, the affected properties share certain booking, channel-management, or property-management systems, suggesting the intrusion occurred upstream of any single hotel. The company has not publicly named the suspected supplier while its investigation continues. Industry group KHN has urged anyone with a Dutch hotel reservation to verify the sender of any payment-related message before acting.
What Was Taken
Stolen records include guest contact details and arrival and departure dates tied to active and recent reservations. While the full scope is still being mapped, Hospecs confirmed at least 100 Dutch hotels have been impacted, with additional reports coming in from Belgium and Ireland. The exposure is particularly potent for social engineering: attackers possess legitimate booking specifics (dates, properties, guest names) that lend authenticity to fraudulent payment requests sent in the days before a stay.
Why It Matters
This incident illustrates the cascading risk of shared SaaS infrastructure in the hospitality vertical. A single compromised channel manager, property management system (PMS), or booking integration can expose guest data across hundreds of independent hotels and multiple countries simultaneously. The breach also extends a clear pattern in 2026 of reservation-data theft being weaponized into high-conversion payment fraud, following the April Booking.com incident in which attackers used the platform's own messaging to push identical payment-demand scams. For defenders, the trend confirms that hospitality booking data is now a priority target for fraud-focused threat actors, not a low-sensitivity dataset.
The Attack Technique
Hospecs has not confirmed the initial access vector, but Vissers pointed to the intermediary layers between reservation and confirmation as the likely weak point. "Between making a reservation and confirming it, there are several layers," he said, referencing the systems that log bookings and set prices. The shared-supplier pattern across victim hotels strongly indicates a third-party software compromise rather than individual hotel breaches. Once in possession of guest records, the attackers send phishing messages, reportedly dozens per day, impersonating the booking hotel and demanding pre-payment for the reservation. Because the messages reference real bookings with accurate dates and details, recipients have a much harder time identifying them as fraudulent.
What Organizations Should Do
- Audit hospitality SaaS dependencies. Inventory all channel managers, PMS platforms, and booking integrations in use and verify each vendor's incident disclosure posture and recent security attestations.
- Pressure-test third-party access. Review API tokens, OAuth grants, and service accounts held by booking software vendors; rotate credentials and enforce least privilege on guest-data endpoints.
- Alert guests proactively. Hotels should notify customers with active bookings that legitimate payment requests will not come via SMS or email links, and provide a verified phone number for payment confirmation.
- Monitor for impersonation infrastructure. Watch for newly registered domains mimicking hotel brands or booking platforms, and submit takedown requests through registrars and email providers.
- Coordinate with the AP and law enforcement. Hotels in scope should engage the Dutch data protection authority early and share IOCs with sector peers via KHN or national CSIRT channels.
- Review logging on booking pipelines. Ensure that PMS and channel-manager activity is centrally logged and retained, so that any later confirmation of the upstream breach can be matched against tenant-level access patterns.
Sources: Mass data breach on over 100 Dutch hotels hits guests - DutchNews.nl