Hotel Curracloe Guests Targeted in Phishing Campaign Following GuestDiary Data Breach

Hotel Curracloe, a hospitality business in Wexford, Ireland, notified guests of a data breach originating from its third-party booking system provider, GuestDiary.com. The incident occurred in late March 2024 and led to unauthorized access to the partner platform's database. 

The hotel's internal systems are secure but the breach has triggered a wave of targeted phishing attacks against individuals who booked stays through the compromised service.

Attackers broke into the GuestDiary.com platform to exfiltrate guest contact information and booking details. Threat actors then launched phishing campaigns using WhatsApp and email to impersonate Hotel Curracloe, GuestDiary, Booking.com, or Expedia. These messages contain links to fraudulent websites that mimic legitimate booking portals to trick users into making payments to "secure" their existing reservations. The compromised data includes:

• Full guest names
• Email addresses
• Phone numbers
• Booking metadata

The number of affected individuals is not disclosed. Hotel Curracloe claims that no encrypted payment or credit card information was accessed during the breach.

Hotel Curracloe management started a multi-channel notification campaign across email and social media to warn guests of the ongoing risks. The hotel stated it will never request payments via WhatsApp or send unsolicited payment links. GuestDiary.com is currently working to identify and shut down the fraudulent websites used in the phishing campaign to stop further criminal activity.