Booking.com confirmed unauthorized access to customer reservation and personal data, with affected customers notified in mid-April 2026; two items cover this incident with partially overlapping and partially conflicting detail on the scope of exposed data fields (SCC-DBR-2026-0089 provides more granular PII enumeration including trip dates and confirmation numbers while SCC-DBR-2026-0090 reflects lower source confidence). No CVE applies; this is a platform-level breach. Threat actors are actively weaponizing reservation-level detail for highly targeted phishing campaigns, and the initial access vector has not been publicly disclosed by Booking.com. Organizations with employees who book business travel via Booking.com should advise immediate password resets, enforce phishing-resistant MFA on linked accounts, and monitor email gateways for inbound messages referencing Booking.com reservation language paired with external links.