Today · Jul 16, 2026
A Court Just Told Hotel Guests Their Browsing Data Isn't "Intercepted." Owners Should Not Celebrate.

A Court Just Told Hotel Guests Their Browsing Data Isn't "Intercepted." Owners Should Not Celebrate.

Sojern beat a privacy lawsuit over tracking pixels on Hilton's website, and the legal reasoning basically says your marketing vendors have your implied consent to watch everything. If you're an owner who thinks this ruling protects you, wait until you see the three new lawsuits already filed against the same brand.

Available Analysis

Let me tell you about the most dangerous kind of victory in the hotel business: the one that makes you think you're safe.

A federal judge in California just tossed a guest's lawsuit against Sojern, the travel marketing platform that embeds tracking technology on hotel websites to watch what guests browse, what rooms they price, what dates they search, and whether they complete a reservation. The guest alleged this was wiretapping. The court said no... the data wasn't "intercepted in transit" (a very specific legal distinction that matters enormously to lawyers and almost not at all to the guest who just found out a company she'd never heard of was watching her shop for a hotel room). The court also said the hotels themselves consented to the tracking as "parties to the communication," which made it legal under federal wiretap law. Case dismissed.

And I can already hear the sigh of relief from brand legal departments. I can hear the vendor sales teams preparing their "see, it's perfectly legal" talking points. I can practically see the PowerPoint slide. Here's the part they won't put on the slide: Hilton is currently facing at least three additional class action lawsuits alleging the exact same type of tracking behavior... two involving Meta's pixel, one broadly challenging third-party trackers with no consent banner. The plaintiff in THIS case voluntarily dropped Hilton from the suit, which means the brand hasn't actually been tested yet. And the legal theory is evolving. California's privacy laws aren't getting looser. They're getting tighter. This ruling is a speed bump, not a wall. (I've read enough FDDs to know the difference between a legal victory and a strategic one. This is neither.)

Here's what nobody in brand marketing wants to talk about: the guest doesn't care about the legal distinction between "intercepted in transit" and "collected at endpoint." The guest cares that she searched for a hotel room and then saw ads for that hotel following her across the internet for three weeks. That's the EXPERIENCE of being tracked, and no court ruling changes how it feels. I grew up watching my dad deliver brand promises to guests who didn't read the fine print... they just knew whether the stay felt right or felt wrong. A loyalty member discovering that a company called Sojern (a name she's never encountered, a relationship she never agreed to) has her search history, her travel dates, and her price sensitivity data? That doesn't feel right. And "but the court said it's legal" is not a brand strategy. It's a legal defense. Those are different documents.

The real tension here is between marketing performance and brand trust, and right now the entire industry is leaning hard into performance without asking what it costs on the trust side. Sojern serves over 13,000 customers. They're reportedly being acquired for $250 million. That's a quarter-billion-dollar business built on watching travelers browse hotel websites and turning that data into targeted advertising. The value proposition to the hotel is clear: better targeting, higher conversion, more direct bookings. The value proposition to the guest is... what, exactly? More relevant ads? Nobody has ever described a retargeted ad as "relevant." They describe it as "creepy." And creepy erodes the one thing a hospitality brand cannot buy back once it's gone. You know what I'm going to say. Trust. The thing your loyalty program is supposed to build. The thing your "member-exclusive rate" is supposed to reinforce. The thing a tracking pixel quietly undermines every time a guest realizes the hotel she browsed is now following her around the internet without ever asking permission.

If you're an owner with a branded property, this ruling doesn't protect you. It protects your vendor. Your brand agreement almost certainly gives the franchisor broad rights to deploy marketing technology on the brand website, including tracking pixels from third-party partners you've never vetted and whose data practices you've never reviewed. When the next lawsuit names the hotel (and it will... the newer suits are going directly at the brands, not just the vendors), the brand will point to the franchise agreement that says you agreed to this. And you did. Page 47, section 12(c), right between the loyalty assessment schedule and the PMS mandate. You signed it. You just didn't read it. (Don't feel bad. Almost nobody reads it. That's what the filing cabinet is for.)

Operator's Take

Here's what I need every branded operator to do this week. Pull your franchise agreement and find the section on marketing technology, data collection, and third-party vendor authorization. Read it. Understand what you've consented to on behalf of your guests. Then call your brand rep and ask one question: "What third-party tracking is currently deployed on the brand website, and what guest data is being shared with vendors I haven't approved?" Write down exactly what they say. If they can't answer clearly, that's your answer. This is what I call the Invisible P&L... the costs that never show up on your financial statements but destroy value in ways you don't see until a lawsuit hits or a loyalty member walks. Data liability is real. Reputational damage is real. And "the court said it was legal" won't mean a thing to the guest who just canceled their loyalty account because they felt surveilled instead of served.

— Mike Storm, Founder & Editor
Read full analysis → ← Show less
Source: Google News: Hilton
Booking.com Got Breached. Your Front Desk Is About to Deal With the Fallout.

Booking.com Got Breached. Your Front Desk Is About to Deal With the Fallout.

Hackers didn't steal credit cards from Booking.com... they stole something more useful: real guest names, real reservation details, and real property information. Now your guests are getting scam messages that look exactly like legitimate booking confirmations, and your front desk team is the last line of defense.

Available Analysis

So here's what actually happened. Booking.com confirmed unauthorized access to customer booking data around April 13. Names, emails, phone numbers, addresses, specific reservation details... dates, property names, locations. Everything a scammer needs to craft a message so convincing that even a savvy traveler would hesitate before dismissing it. Booking says no financial data was compromised from their systems. That's technically accurate and practically irrelevant, because the scammers don't need your credit card number from Booking. They just need enough real information to trick you into handing it over yourself.

This is what the security world calls a "reservation hijack," and it's not new. The UK's Action Fraud documented 532 of these between June 2023 and September 2024, totaling roughly £370,000 in losses. What IS new is the scale and sophistication. The attackers are getting in through hotel partner accounts... phishing the properties themselves, compromising their Booking.com extranet credentials, and then using the platform's own messaging system to contact guests with legitimate-looking payment requests. AI is making these messages better, faster, more personalized. A guest gets a message through Booking's actual app referencing their actual reservation at your actual hotel asking them to "verify" payment. Most people would click. I might click. And that's the problem.

Look, I've evaluated dozens of vendor security architectures over the years. The pattern here is one I've seen over and over again: the platform secures its own perimeter, declares victory, and leaves the weakest node in the chain... the property... completely exposed. Booking invested heavily in AI fraud detection on their side. Great. But the attack vector isn't Booking's infrastructure. It's the hotel's. It's the GM who uses the same password for the extranet and their personal email. It's the front desk agent who clicks a phishing link at 2 AM because it looked like it came from Booking support. It's the property that has no two-factor authentication on their OTA accounts because nobody ever set it up and nobody ever asked. The platform treats security as its problem to solve centrally. But the breach happens locally, at the property, on the shift with the least technical person in the building.

And here's what's going to hit operators hardest... it's not the breach itself. It's the phone calls. Guests who got scam messages are going to call your front desk. They're going to be angry, scared, confused. Your team needs to know what happened, what to say, and what NOT to say (do not confirm or deny specific reservation details over the phone to someone you can't verify... that's how the second wave of social engineering works). This is a training problem that landed on your doorstep this week whether you were ready for it or not. Booking reset reservation PINs for affected bookings. That's their fix. Your fix is making sure every person who answers your phone or stands behind your desk knows what a reservation hijack looks like and how to handle a guest who just got hit by one.

One more thing. Booking got fined €475,000 back in 2018 for reporting a breach 22 days late. They've been through this before. The question nobody's asking is whether the hotel partners whose accounts were compromised have any notification obligations of their own... and whether those partners even know their accounts were used as the entry point. If you're a property using Booking's extranet, check your account activity. Today. Not next week. Today. Because the attackers didn't break into Booking's vault. They walked in through your front door.

Operator's Take

Here's what to do this week. First... every OTA extranet account at your property gets two-factor authentication turned on by Friday. Every. Single. One. If you don't know how, call your Booking rep and make them walk you through it. Second... brief your front desk team, especially your night shift, on what reservation hijack scams look like and how to handle guest calls about suspicious messages. The script is simple: "We will never ask for payment information by text or messaging app. If you received a message like that, do not click any links and contact us directly at this number." Third... check your Booking extranet login history right now. If you see logins from locations or devices you don't recognize, change credentials immediately and report it. This isn't about Booking's security problem. It's about yours. The platform got breached, but your property is the one taking the guest calls and absorbing the trust damage. Get ahead of it before your first angry guest walks up to the desk with a screenshot of a scam message that has your hotel's name on it.

— Mike Storm, Founder & Editor
Read full analysis → ← Show less
Source: Google News: Booking Holdings
Booking.com Just Lost Your Guests' Data. Again. And IHG Wants You Excited About a Free Night.

Booking.com Just Lost Your Guests' Data. Again. And IHG Wants You Excited About a Free Night.

A data breach exposing guest names, emails, addresses, and reservation details should be the biggest story in hospitality this week. Instead, it's buried under a loyalty promo and an airline status match, which tells you everything about how this industry prioritizes shiny objects over the things that actually erode trust.

Let me tell you what caught my eye this morning, and it wasn't the promotion.

Booking.com confirmed that unauthorized third parties accessed customer booking information... names, email addresses, physical addresses, phone numbers, reservation dates, and communications shared with properties. They say no financial data was compromised, which is the corporate equivalent of "but the house is still standing" after a kitchen fire. The house might be standing, but nobody wants to eat there tonight. And Booking.com hasn't disclosed how many customers were affected, which in my experience means the number is large enough that saying it out loud would make the headline worse. They reset PINs. They sent emails. They called it "contained." This is the same company that got hit in 2018, affecting over 4,000 people, and caught a €475,000 fine from Dutch regulators for dragging their feet on disclosure. The pattern isn't new. The pattern is the point.

Here's where this gets interesting for anyone running a hotel. Your guests booked through Booking.com. Their personal information... the stuff they trusted a platform with... is now floating around in places it shouldn't be. And the follow-on isn't the breach itself, it's the phishing. Someone with a guest's name, their reservation dates, their email, and the name of your property can craft a message that looks exactly like it came from your front desk. "Dear Mrs. Patterson, regarding your upcoming stay on April 22nd, we need to verify your payment information..." That email isn't coming from you, but it's wearing your name. And when that guest gets scammed, who do you think they blame? Not the faceless OTA. They blame the hotel whose name was on the email. Your brand. Your reputation. Your TripAdvisor review. I sat in a franchise review once where an owner discovered that a wave of chargebacks at his property traced back to a third-party platform breach six months earlier. Nobody at the brand could explain how guest data had leaked. Nobody at the OTA returned his calls. He was just... holding the bag.

Now, in the same news cycle, we get IHG running promotions (targeted bonus Elite Night Credits through May, one per night stayed, up to five, for eligible stays of $30 or more) and Air France-KLM's Flying Blue program selling status matches at $99 for Silver and $199 for Gold. These are fine. These are normal loyalty mechanics. The status match is smart... it's designed to poach elite flyers from competing alliances, and the price points are low enough to generate volume. IHG's targeted credits are standard engagement plays to keep members booking direct. None of this is revolutionary, and none of it should be treated as news that changes your week. But here's what bothers me... the industry's attention economy is broken. A loyalty promo gets the same headline weight as a data breach that exposes the personal information of an unknown number of travelers. The shiny thing and the dangerous thing sit side by side, and the shiny thing gets more clicks. That's how trust erodes. Not in one dramatic moment, but in the slow drip of treating security incidents as secondary stories while we celebrate a free third night.

The brand promise and the brand delivery are two different documents, and right now, the delivery document has a hole in it the size of a guest database. If you're an owner with significant OTA exposure (and let's be honest, most of you are), this breach should change how you think about channel mix, not because direct booking is a magic shield, but because every intermediary that touches your guest data is a potential point of failure. And when that failure happens, the guest doesn't call the intermediary. They call your front desk. The question nobody's asking is whether your brand has a protocol for when a third-party breach puts your property's name on a phishing email. (Spoiler: most don't. I've checked.)

Operator's Take

Here's what I'd do this week if I'm running a hotel with any meaningful OTA volume. First, check with your front desk team right now... are they trained to handle calls from guests who received suspicious emails mentioning your property? If the answer is no, fix that before Friday. Second, reach out to your brand's regional support and ask specifically what their protocol is when a third-party platform breach exposes reservation data tied to your property. Get it in writing. If they don't have one, you just identified a gap your owner needs to know about. Third, look at your channel mix. I'm not saying pull off the OTAs... that's not realistic for most of you. But every point of OTA exposure is a point of data vulnerability you don't control. If this doesn't move the needle on your direct booking investment conversation, I don't know what will. This is what I call the Invisible P&L... the cost of a data breach never shows up on your operating statement, but it destroys margin through chargebacks, reputation damage, and guest trust you spent years building.

— Mike Storm, Founder & Editor
Read full analysis → ← Show less
Source: Google News: IHG
End of Stories