Booking.com Just Lost Your Guests' Data. Again. And IHG Wants You Excited About a Free Night.

Let me tell you what caught my eye this morning, and it wasn't the promotion.

Booking.com confirmed that unauthorized third parties accessed customer booking information... names, email addresses, physical addresses, phone numbers, reservation dates, and communications shared with properties. They say no financial data was compromised, which is the corporate equivalent of "but the house is still standing" after a kitchen fire. The house might be standing, but nobody wants to eat there tonight. And Booking.com hasn't disclosed how many customers were affected, which in my experience means the number is large enough that saying it out loud would make the headline worse. They reset PINs. They sent emails. They called it "contained." This is the same company that got hit in 2018, affecting over 4,000 people, and caught a €475,000 fine from Dutch regulators for dragging their feet on disclosure. The pattern isn't new. The pattern is the point.

Here's where this gets interesting for anyone running a hotel. Your guests booked through Booking.com. Their personal information... the stuff they trusted a platform with... is now floating around in places it shouldn't be. And the follow-on isn't the breach itself, it's the phishing. Someone with a guest's name, their reservation dates, their email, and the name of your property can craft a message that looks exactly like it came from your front desk. "Dear Mrs. Patterson, regarding your upcoming stay on April 22nd, we need to verify your payment information..." That email isn't coming from you, but it's wearing your name. And when that guest gets scammed, who do you think they blame? Not the faceless OTA. They blame the hotel whose name was on the email. Your brand. Your reputation. Your TripAdvisor review. I sat in a franchise review once where an owner discovered that a wave of chargebacks at his property traced back to a third-party platform breach six months earlier. Nobody at the brand could explain how guest data had leaked. Nobody at the OTA returned his calls. He was just... holding the bag.

Now, in the same news cycle, we get IHG running promotions (targeted bonus Elite Night Credits through May, one per night stayed, up to five, for eligible stays of $30 or more) and Air France-KLM's Flying Blue program selling status matches at $99 for Silver and $199 for Gold. These are fine. These are normal loyalty mechanics. The status match is smart... it's designed to poach elite flyers from competing alliances, and the price points are low enough to generate volume. IHG's targeted credits are standard engagement plays to keep members booking direct. None of this is revolutionary, and none of it should be treated as news that changes your week. But here's what bothers me... the industry's attention economy is broken. A loyalty promo gets the same headline weight as a data breach that exposes the personal information of an unknown number of travelers. The shiny thing and the dangerous thing sit side by side, and the shiny thing gets more clicks. That's how trust erodes. Not in one dramatic moment, but in the slow drip of treating security incidents as secondary stories while we celebrate a free third night.

The brand promise and the brand delivery are two different documents, and right now, the delivery document has a hole in it the size of a guest database. If you're an owner with significant OTA exposure (and let's be honest, most of you are), this breach should change how you think about channel mix, not because direct booking is a magic shield, but because every intermediary that touches your guest data is a potential point of failure. And when that failure happens, the guest doesn't call the intermediary. They call your front desk. The question nobody's asking is whether your brand has a protocol for when a third-party breach puts your property's name on a phishing email. (Spoiler: most don't. I've checked.)