Booking.com confirmed a data breach and Canadian travellers are now targets — here's what to watch for

This isn't the first time a reservation hijacking scam wave has appeared — the BBC has reported on multiple instances since 2023 (5), and phishing is one of the top 10 types of fraud in Canada based on the number of reported incidents.

According to the Canadian Anti-Fraud Centre's (CAFC) 2024 Annual Statistical Report, there were over 3,500 reports of phishing sent to the agency and over 1,000 targets (6). Phishing was one of two fraud types that increased in victimization. However, the CAFC also notes that reported fraud likely only accounts for five to 10 percent of all fraud in Canada (7).

How to spot reservation hijacking red flags

If you're one of 72% of Canadians planning to travel this year (8), you need to be on the lookout if you've made any reservations with Booking.com. Here are some expert tips to help you notice any signs of potential fraud (9).

• Be wary of external links. If you receive an email, text message or direct message with an external link, always exercise caution. Even if it appears to be legitimate, verify it by contacting the company you booked with first. Never click on a link you aren't certain is legitimate.
• Watch for urgent language. Be skeptical of language that prompts you to act quickly or immediately, especially if it is asking for personal information. Take special note of any threats in the email that seem out of character for the company, such as a warning your account will be closed if you don't confirm your booking information.
• Check for inconsistencies. While fraudsters can create compelling emails and other online traps, their efforts are not always impeccable. Review the email address or website link to see if there are any spelling mistakes or slightly odd phrasing (e.g. bookingsite.com instead of booking.com). These are strong warning signs.

Stop leaving money on the table with high fees and low interest. View our top-rated Canadian banks and switch to a better account today.

What to do if your information is compromised in a data breach

Hearing that your data has been compromised due to a breach can send you into a panic. Thankfully, there's a simple protocol for Canadians to follow if their information has been compromised (10).

1. Contact your service provider and financial institutions. As soon as you are aware that your data is compromised, alert any companies where that account information was used, as well as your bank.
2. Flag the issue to credit bureaus. The next step is to contact Equifax and TransUnion, Canada's main credit bureaus. Ask them to place a fraud alert on your credit report. Doing this prevents anyone from borrowing money on your behalf — lenders will need to contact you personally before approving any credit applications.
3. Report the issue to the authorities. Even if no fraud has occurred following the breach, reporting the incident to your local police and the CAFC is good practice.
4. Take precautionary measures. You can never be too careful with your online identity following a data breach. Don’t just change your password for the compromised account, do so for your email, online shopping profiles, banking accounts, etc. It's also critical to review your banking and credit card statements on a regular basis going forward to catch any odd transactions you didn’t authorize. Ordering a copy of your credit report and reviewing it is also a prudent choice.

Article Sources

We rely only on vetted sources and credible third-party reporting. For details, see our ethics and guidelines.

Booking.com (1); CBC News (2); Government of Canada (3); Cloudflare (4); BBC (5); CAFC (6); Competition Bureau Canada (7); Ipsos (8); Norton (9); Financial Consumer Agency of Canada (10)