The website has sent compromised customers an email advising that their username, password, email address, and the last four digits of stored credit card numbers were potentially stolen last month.
The Texas-headquartered company has hundreds of thousands of hotels on its books around the world and is part of the Expedia organisation, along with similar sites such as Trivago and Hotwire. It includes independent and major chain hotels as well as bed and breakfasts and resorts.
There is no breakdown so far of how many customers were affected but a spokesperson for Hotels.com confirmed data was compromised between May 22 and 29 and that it was engaging with customers worldwide, including Ireland.
The company said it could assure customers that full credit card information was not compromised on its website.
Irish cybersecurity experts warned that such breaches of customer data were now a fact of life online and urged people to take password security more seriously.
Director of cybersecurity services at PwC, Leonard McAuliffe, said industry online was “under constant attack” from hackers looking for databases of names, addresses, passwords, and other lucrative information.
“Depending on the type of information they can access, the value goes up,” said Mr McAuliffe.
“That means a scale of names and addresses, to usernames and passwords, to credit card details and the three-digit security code on the back of a credit card. They can sell on those databases on what is known as the Darknet, or they can monetise the details themselves. It is very lucrative.”
Mr McAuliffe said an even more sophisticated scam pattern was emerging, with emails purporting to be a company telling users their details were hacked and that they should change passwords. If there is a clickable link within such an email, users should avoid it, he said.
“Do not click on the links within those emails as they could be fake to lure people in,” said Mr McAuliffe. “They might very well be legitimate but why take the chance? We advise that if you are to change your password, do so on the actual official website or app, and not through a link in an email. It’s always better to be safe than sorry.”
Mr McAuliffe said that security measures such as two-step verification — where a user needs to enter an extra code sent to a phone to verify log-in details — was very efficient in preventing data theft. Biometric verification, which is verification by a body part such as a fingerprint, was also proving very successful, he added.
“Usernames and passwords are just not good enough any more and companies and customers have to get used to that,” said Mr McAuliffe.
CEO of Cork-based IT company Smarttech, Ronan Murphy said “password hygiene” was effective in preventing data being stolen.
“That means changing your passwords regularly, not using the same passwords for every site, using symbols and numbers, etc,” said Mr Murphy.