【Important Notice】 (Follow-up) Apology and Notice Regarding Possible Leakage of Personal Information Due to Unauthorized Access to Booking.com Management System and Message Distribution Leading to Phishing Sites
We deeply apologize for the inconvenience and concern caused to our customers regarding the incident of unauthorized access to the accommodation reservation information management system provided by Booking.com (hereinafter referred to as the management system) and the distribution of messages leading to phishing sites to some of our customers.
Regarding the “Important Notice: Apology and Notice Regarding Possible Leakage of Personal Information Due to Unauthorized Access to Booking.com Management System and Message Distribution Leading to Phishing Sites” announced on February 9, 2024, we would like to report the facts discovered during the subsequent investigation as follows:
Notice dated February 9, 2024
Please use the appropriate link URL depending on the language (Japanese or English).
1. Chronology of Events
On February 8, 2024, there was unauthorized access to our company’s Booking.com management system, and it was confirmed that messages leading to phishing sites were distributed to some customers who had made reservations for “WeBase Hakata Hostel” through Booking.com. There is a possibility that the Booking.com exclusive email addresses (an alias email address ending with @guest.booking.com) of customers stored in the management system were viewed by third parties.
On the same day, we requested Booking.com to invalidate the fraudulent URL sent to customers. Additionally, we sent messages (in Japanese, English, and Korean) to the affected customers who received the aforementioned messages and to all customers with future reservations through Booking.com, apologizing and urging them not to click on the fraudulent URL. For customers who had already clicked on the URL, we requested credit card suspension and password changes for their email addresses. Furthermore, we conducted password changes and computer security checks at all WeBase facilities. We have confirmed that there was no unauthorized access at other facilities and within the Booking.com main system.Affected customers who received the above-mentioned messages received an email (in English) from Booking.com advising caution by February 12, 2024.
2. Details of the Incident
(1) Affected Customers
Customers who made reservations for “WeBase Hakata Hostel” through Booking.com.
(2) Number of Potentially Leaked Personal Information
241 Booking.com exclusive email addresses of customers who reserved “WeBase Hakata Hostel” stored in the Booking.com management system.
(3) Personal Information Potentially Leaked
Booking.com exclusive email addresses (an alias email address ending with @guest.booking.com)
*According to Booking.com, there is no evidence that personal information such as name, address, phone number, email address, nationality, as well as payment-related information such as credit card information and financial institution account information, was viewed.
(4) Cause
Based on the investigation, the cause of the unauthorized access to the management system was determined to be clicking on a phishing email sent to the front desk of WeBase Hakata Hostel and logging into a fake management system.
(5) Secondary Damage or Possibility Thereof and Contents
We have confirmed that some customers provided their credit card information to the phishing site mentioned in the distribution message. There have been no reports of financial losses at the time of this news publication.
3. Future Response and Measures to Prevent Recurrence
Based on the investigation results, we have implemented additional security measures and reinforced employee education. We will continue to strengthen our measures to prevent recurrence.
4. Request to Customers
We kindly request customers not to access URL links attached to suspicious messages. If you receive a message with unfamiliar content, please contact Booking.com (phone number: +44-20-3320-2609) or WeBase Hakata Hostel (phone number: +81-92-292-2322, email address: hakatafrontdesk@we-base.jp) for inquiries.
We deeply apologize for the inconvenience and concern caused to our customers.
*”Phishing site” refers to a fake website disguised as a legitimate website, using fraudulent methods to steal personal information such as credit card numbers.
