Thousands of customers of online travel agent Booking.com have been conned following the theft of personal data, a whistleblower has revealed.
BBC Radio 4's Money Box
'Tom' spent 12 days working from his home computer, calling around 250 Booking.com customers per day from a supplied list. Many were visitors travelling to London from countries such as Japan, China, India, and South Africa.
"We were told to call up people and tell them that they'll receive an emailâ¦ and if they have any questions they should get in touch with us," 'Tom' told Money Box.
"We had to say that we were calling from [the hotel into which the customer had booked] and we would send an email and it would appear that the hotel was sending them an email."
The subsequent e-mail would ask for advance payment for the hotel booking, with bank details that had no connection to the hotel. Customers who queried the payment demand were directed to a fraudulent phone line, where the criminals had installed staff who posed as Booking.com employees, insisting that the hotels had changed their payment policies.
Some of the customers sent a payment, but found the hotel had no record of it when they checked in. Although they have received refunds for the double payment, the episode represents a major security breach.
Booking.com has estimated that about 10,000 people were affected.
‘Tom' claims he was unaware that he was involved in criminal activity and agreed to speak to Money Box because he was angry at having become accidentally involved.
A Booking.com customer named as 'Claire' from West Yorkshire said she received a phone call asking for payment in advance for a London hotel in November.
She avoided being conned by phoning the hotel directly and establishing that they had not demanded advance payment. However, she wants Booking.com to announce publicly that customer details are now safe.
"I want to know how this scamming company is finding out the reservation numbers, the dates, the contact details - there's a lot of private information there," she said.
A spokesperson for Booking.com told Money Box the firm is working with police on how to prevent future phishing attacks. The company declined to be interviewed.