So here's the conversation the industry keeps having: we need better guest intelligence. More personalization. More data-driven service. And the answer, apparently, is always the same... upgrade your PMS. The global hospitality PMS market is projected to hit nearly $10 billion by 2035, up from roughly $5.8 billion in 2024. That's a lot of money chasing the promise that if we just centralize the data, magic happens.

It doesn't. Not automatically. Not even close.

I consulted with a hotel group last year that had just migrated to a cloud-based PMS. Beautiful system. Guest profiles, preference tracking, booking history, the works. I asked the front desk supervisor how often staff actually pulled up a guest profile before check-in. She laughed. "We're supposed to?" They had 94% of the data the vendor promised during the demo. They were using maybe 15% of it. The rest just... sat there. Because nobody built the workflow that turns a data field into a human interaction. The system knew the guest preferred a high floor and extra pillows. The agent checking them in at 11 PM didn't look at the screen because she was answering two phone calls and processing a mobile key that wasn't working. That's not a data problem. That's an operations problem wearing a technology costume.

Look, I'm not anti-PMS modernization. Cloud-based systems are objectively better architecture than the on-premise dinosaurs a lot of properties are still running. Real-time data sync, API connectivity, remote management... these matter. And the stat that properties using data-driven strategies see up to 15% RevPAR improvement? I believe it. But "data-driven strategy" doesn't mean "installed a system that collects data." It means someone designed the workflow, trained the team (and then retrained them four months later when half the staff turned over, because hospitality turnover is still north of 70%), and built accountability into the process. The technology is the easy part. The human layer is where every single one of these implementations either works or becomes a very expensive database nobody opens.

The real question nobody in the PMS vendor conversation wants to answer: what does guest intelligence look like at a 150-key select-service property running two people on the desk during peak check-in and one person overnight? Because 61% of consumers might say they'll spend more for a personalized experience, but personalization requires someone with the time, training, and motivation to deliver it. The system can surface the insight. If the person seeing it has six other things competing for their attention, the insight dies on the screen. That's not a technology failure. That's a deployment failure. And it's the one vendors never demo because it doesn't look good on a laptop in a conference room.

What actually works is brutally unsexy. It's picking three... maybe four... data points that your team can realistically act on during a guest interaction. Not the full profile. Not the 47-field preference record. Three things. Guest name, stay count, and one preference. Build a 10-second ritual around those three things. Train it until it's muscle memory. Then... and only then... add a fourth data point. I've seen this approach outperform full-blown "guest intelligence platforms" at properties where the team actually executes it. Because a system that surfaces 50 insights nobody reads is worth less than a sticky note that says "returning guest, likes quiet room, said thanks last time we remembered."

So here's what actually happened. Booking.com confirmed unauthorized access to customer booking data around April 13. Names, emails, phone numbers, addresses, specific reservation details... dates, property names, locations. Everything a scammer needs to craft a message so convincing that even a savvy traveler would hesitate before dismissing it. Booking says no financial data was compromised from their systems. That's technically accurate and practically irrelevant, because the scammers don't need your credit card number from Booking. They just need enough real information to trick you into handing it over yourself.

This is what the security world calls a "reservation hijack," and it's not new. The UK's Action Fraud documented 532 of these between June 2023 and September 2024, totaling roughly £370,000 in losses. What IS new is the scale and sophistication. The attackers are getting in through hotel partner accounts... phishing the properties themselves, compromising their Booking.com extranet credentials, and then using the platform's own messaging system to contact guests with legitimate-looking payment requests. AI is making these messages better, faster, more personalized. A guest gets a message through Booking's actual app referencing their actual reservation at your actual hotel asking them to "verify" payment. Most people would click. I might click. And that's the problem.

Look, I've evaluated dozens of vendor security architectures over the years. The pattern here is one I've seen over and over again: the platform secures its own perimeter, declares victory, and leaves the weakest node in the chain... the property... completely exposed. Booking invested heavily in AI fraud detection on their side. Great. But the attack vector isn't Booking's infrastructure. It's the hotel's. It's the GM who uses the same password for the extranet and their personal email. It's the front desk agent who clicks a phishing link at 2 AM because it looked like it came from Booking support. It's the property that has no two-factor authentication on their OTA accounts because nobody ever set it up and nobody ever asked. The platform treats security as its problem to solve centrally. But the breach happens locally, at the property, on the shift with the least technical person in the building.

And here's what's going to hit operators hardest... it's not the breach itself. It's the phone calls. Guests who got scam messages are going to call your front desk. They're going to be angry, scared, confused. Your team needs to know what happened, what to say, and what NOT to say (do not confirm or deny specific reservation details over the phone to someone you can't verify... that's how the second wave of social engineering works). This is a training problem that landed on your doorstep this week whether you were ready for it or not. Booking reset reservation PINs for affected bookings. That's their fix. Your fix is making sure every person who answers your phone or stands behind your desk knows what a reservation hijack looks like and how to handle a guest who just got hit by one.

One more thing. Booking got fined €475,000 back in 2018 for reporting a breach 22 days late. They've been through this before. The question nobody's asking is whether the hotel partners whose accounts were compromised have any notification obligations of their own... and whether those partners even know their accounts were used as the entry point. If you're a property using Booking's extranet, check your account activity. Today. Not next week. Today. Because the attackers didn't break into Booking's vault. They walked in through your front door.

I worked with a GM years ago who kept a printed list taped to the back of the front desk... every known phone scam, every phishing email template, every variation of "I'm calling from corporate and I need you to process a refund." She updated it monthly. Her staff knew the scripts better than the scammers did. When I asked her why she went through the trouble, she said something I've never forgotten: "The guest doesn't blame the scammer. The guest blames us. Because we're the ones standing in front of them."

That's exactly what's about to happen at properties all over the country. Booking.com confirmed over the weekend that unauthorized third parties accessed guest reservation data... names, email addresses, phone numbers, booking details. They say no payment information was compromised. They've reset PINs on affected reservations and emailed impacted customers. And they won't say how many people were affected, which tells you something all by itself.

Here's what nobody's telling you about why this matters more than the headline suggests. The stolen data isn't valuable because of what it IS. It's valuable because of what it ENABLES. A scammer who knows your guest's name, their check-in date, and which hotel they're staying at can craft an email or WhatsApp message that looks indistinguishable from a legitimate hotel communication. "Dear Mr. Henderson, regarding your April 22 reservation at the Courtyard... we need to verify your payment method." Reports are already surfacing of guests receiving exactly these messages. Your guest gets that email, panics, hands over their credit card... and then calls your front desk furious because they think YOU sent it. This is the third or fourth time in three years that Booking.com's ecosystem has been the vector for this kind of attack. In 2023 it was a phishing campaign that compromised hotel partner systems and stole credit card data directly. In 2025 there was an infostealer malware campaign targeting hospitality staff through fake CAPTCHA pages. Last summer, scammers used real booking data obtained through compromised hotel accounts to send fraudulent payment requests. The pattern is clear and it's accelerating. Booking.com claims they blocked 85 million fraudulent reservations and 1.5 million phishing attempts in a single year. Good for them. But when the breaches keep happening despite those numbers, the question isn't how hard they're trying. It's whether the architecture itself is the problem.

And here's where this gets uncomfortable for operators. Booking.com's official position in several past incidents has been that their systems weren't breached... that the compromise happened through partner hotel systems. Think about that. The OTA collects the commission. The hotel absorbs the operational fallout AND potentially takes the blame for the security failure. Whether the entry point this time was Booking.com's infrastructure or a partner property's compromised credentials, it doesn't matter to the guest standing at your desk asking why someone has their reservation details. You're the face. You're the one who has to explain it. You're the one who eats the bad review.

This isn't a cybersecurity story. It's an operations story. Every front desk agent at every property that takes OTA bookings needs to know, right now, that a wave of sophisticated phishing is coming. Your guests are going to receive messages that reference real reservation data. Some of your guests are going to fall for it. And some of those guests are going to walk through your lobby door convinced that your hotel leaked their information. Because from where they're standing... that's exactly what it looks like.

I managed through a major music festival once. Not Coachella... different market, different scale, but the same physics. Three sold-out nights where the phones rang so hard we pulled the breakfast attendant to help the front desk. Every room was north of 2x our normal rate. Every guest who walked in had already been quoted something insane somewhere else, so they were simultaneously grateful to have a room and resentful about what they were paying for it. The vibe in the lobby was electric and hostile at the same time. It's a very specific energy. If you've worked a compression event, you know exactly what I'm talking about.

That's what's happening in the Coachella Valley right now, except the numbers have gone completely sideways. We're not talking about a Best Western at $189. We're talking about a Best Western at $600-$700. A JW Marriott room at $2,487 for a single night. Hotel rates up 61.6% over the prior two weekends. And that's the HOTEL side... which is supposed to be the stable, predictable side. The short-term rental market is where it gets genuinely wild. An influencer with 15 million followers publicly posted that her $29,000 Airbnb booking got canceled and she had to rebook for $83,375. STR hosts are seeing revenue up 38% overall, 53% for Weekend 2. Average occupancy running 85% across the valley. This is demand compression at a level that breaks normal pricing behavior and starts creating chaos.

Here's what nobody's talking about in the breathless coverage of influencer drama and $83K bookings. The STR cancellation problem (hosts canceling confirmed reservations to relist at higher prices) is actively pushing displaced guests into the hotel channel. Every canceled Airbnb becomes a walk-in, a frantic Expedia search, or a phone call to the front desk at 11 PM from someone who just drove four hours and has nowhere to sleep. These are not your typical guests. They're angry, they've been burned, and they're paying rates they consider extortionate because they have no alternative. Your front desk team is absorbing that emotional fallout, and if you haven't prepped them for it, you're setting them up to fail. Airbnb says they're "not seeing any noticeable increase" in cancellations and have safeguards in place. I've been in this business long enough to know that platform-level data and property-level reality are often two different things.

The revenue management side of this is seductive and dangerous. When you can get $700 for a room that normally goes for $189, every instinct says push it higher. And for these two weekends, maybe you should. But this is what I call the Rate Recovery Trap. The Coachella Valley doesn't run at $700 ADR in May. Or June. Or July, when it's 115 degrees and you're begging for occupancy. The guests paying $700 this weekend aren't coming back at $700 next month. They're not coming back at all... they were here for the festival, not for your property. If your revenue strategy treats this as a new baseline instead of what it is (a two-weekend anomaly), you'll spend the summer chasing a number that doesn't exist. The $20 million in projected direct tourism spending sounds massive. Spread it across the full market over 52 weeks and it's a rounding error. These two weekends are a windfall, not a trend.

The bigger story here is structural. Short-term rentals have become the pressure valve for compression events, and when that valve malfunctions (cancellations, price manipulation, platform enforcement that may or may not work), traditional hotels absorb the overflow. That's a planning variable, not just a news story. If your market has any recurring event that drives STR demand through the roof... a festival, a major convention, a sporting event... you need to assume that some percentage of those STR bookings will fail and those guests will land in your lobby. Plan your staffing for it. Brief your front desk on it. Have your walk policy tight. And for the love of God, make sure whoever is working the 11 PM to 7 AM shift knows that the person in front of them just got their $29,000 booking canceled and needs someone to be calm and competent, not someone reading a script about the hotel's amenities.