Hotels.com this morning alerted its Australian customers of a security breach in which “your name, address, e-mail address, hotel booking history, reward nights, and the last four digits of your stored credit card” may have been accessed between May 22 and May 27.
A quick online search reveals it’s the latest of a number of cyber attacks on the company’s customer records over the past few weeks in a number of its major markets. Here is the email from Hotels.com:
“We are writing to make you aware of recent activity involving Hotels.com accounts that leads us to believe that some of your personal information, including your reward nights, may have been accessed by an unauthorised user.
However, rest assured that your full credit card information was not compromised on our website.
“On 22 May – 29 May, 2017, we detected unusual user activity with a number of accounts, including yours, which we believe resulted from an unauthourised user accessing the accounts using customers’ usernames and passwords.
“The accessed data could have included your name, address, e-mail address, hotel booking history, reward nights, and the last four digits of your stored credit card—but only if a user selected the option to save credit card numbers.
“If we’re able to verify that free nights were recently removed from your account without your authorisation, we will quickly restore those nights.
“We are taking steps to ensure the continued security of your data, including resetting all compromised passwords.
“When you attempt to log in to your account, you will receive a message that will provide you with instructions on how to change your password. ”
Hotels.com later commented: “It is important to note that we are not aware of any evidence that information accessed has been misused, however we suspect that certain Hotels.com customer accounts may have been accessed by an unauthorized user following a breach of other brands’ websites.
We are advising customers not to re-use passwords across multiple websites and to protect themselves by creating strong, unique passwords for each online site because if access has been gained on another website and a customer is using the same password across multiple websites, as may have happened here, this increases the risk of unauthorized access.”