More than 100 hotels in the Netherlands have been impacted by a data breach that exposed guest and reservation information.
The stolen data enabled cybercriminals to send convincing phishing messages to travelers, while similar incidents have also been reported by hotels in Belgium and Ireland.
The breach was disclosed by Dutch hospitality services company Hospecs, which says affected guests have received messages asking them to confirm and pay for existing reservations. According to Hospecs Managing Director Tim Vissers, reports have been steadily increasing, with dozens of phishing messages being sent daily and the total potentially reaching into the hundreds or thousands.
The source of the breach remains unknown. However, Vissers told Dutch broadcaster NOS that the leak likely originates somewhere within the software ecosystem used to process hotel reservations. Modern bookings typically pass through multiple systems, including property management systems (PMS), booking engines, channel managers, and central reservation platforms.
Hospecs, which operates hotels and provides services to the hospitality sector, has launched an independent investigation to determine the scope of the incident and identify any common links between affected organizations. The company is collecting information from hotels that have experienced incidents since May 25, 2026, including details on the software they use and examples of phishing messages sent to guests.
According to Hospecs, the goal is to establish the scale of the breaches, identify shared systems or suppliers among affected hotels, and determine whether a common cause exists. The company noted that similarities may exist in the technologies and integrations used by impacted organizations, though no specific vendor has been identified as the source of the leak.
The Dutch hospitality trade association Koninklijke Horeca Nederland (KHN) said the hotel booking ecosystem is highly interconnected, making it difficult to determine where guest data may have been intercepted or misused. The organization also pointed to the complexity of online reservation systems and urged hotels and guests to remain vigilant.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has confirmed that it is investigating the incident.
Because the phishing messages contain legitimate reservation details, they can appear highly credible to recipients. Guests are advised to verify any payment requests directly with their hotel through official channels before clicking links or providing payment information, while hotels should preserve evidence, review affected systems, and assess whether breach notifications are required.
Leave a Reply