In the email, Bastion warned guests not to respond to the messages and not to click on any links. The cybercriminals likely got their contact details through a data breach, either at Booking.com or at the hotel, but this has not been confirmed.
One Bastion Hotels guest told AD that he suddenly received WhatsApp messages from a company in Brazil on Tuesday. The company knew a suspicious amount about him - his name and phone number, as well as his travel information. They knew which hotel he stayed at and when.
The guest sent AD screenshots of the rather vague messages, seemingly trying to convince him to make a payment. “We understand you’re concerned about payments, so let’s clarify this,” one message reads. “During verification, the booking amount will be temporarily blocked for just 1 minute. You must confirm this via a push notification in your banking app.” The man did not trust the messages and blocked the sender.
Another Bastion guest told AD that they got scammed. “I’ve asked Bastion Hotels for clarification, both by phone and email, but I’ve received the same blunt answer: they’re working on it. I asked if they’ve reported the leak: no answer.”
Bastion Hotels told AD that it did not have time to answer the newspaper’s questions right now. “We understand your concern, but as you’ll understand, we have other priorities right now,” a spokesperson told AD in writing. “We’ll get back to you as soon as we have more information.”
Under European privacy legislation, businesses must report data breaches to the Dutch Data Protection Authority (AP). AP could not tell the newspaper whether it received a report, citing privacy regulations.
