Booking.com has reported a data breach involving customer reservation details, and the exposed data is already being used to carry out highly convincing “reservation hijack” scams.

What Happened At Booking.com?

Booking.com has confirmed that unauthorised third parties accessed customer reservation data, including names, email addresses, phone numbers, home addresses, and details of past and upcoming bookings.

The company says financial information was not taken from its systems, but it seems that the data that has been exposed is highly sensitive in a different way and could be giving criminals the exact context they need to convincingly impersonate legitimate hotel communications.

For example, customers have already reported receiving suspicious messages, and the platform has begun notifying affected users (by email) while updating reservation PINs as a containment measure. The overall scale of the breach has not yet been fully disclosed.

How The Booking.com Data Breach Appears To Have Happened

Early analysis seems to point to a familiar weak spot rather than a direct breach of Booking.com’s core systems.

Research highlighted by Microsoft suggests attackers targeted hotel partners using phishing techniques designed to trick staff into installing malware, with one method known as “ClickFix” disguising malicious downloads as routine system fixes, often delivered via fake CAPTCHA pages.

Once hotel systems are compromised, attackers can gain access to booking platforms and extract customer data at scale, which aligns with recent reporting about the incident from Malwarebytes, indicating the breach likely originated through third-party access rather than a single central failure.

This matters as it reflects a structural issue rather than a one-off vulnerability, highlighting how interconnected systems can introduce risk beyond the primary platform itself.

What Makes Reservation Hijacking So Effective?

Cybersecurity experts have labelled the resulting scams “reservation hijacking”. In a typical attack of this kind, criminals contact a customer posing as their hotel, referencing genuine booking details such as dates, property names, and contact information, and then claim there is an issue with the booking that requires payment verification or an urgent transfer.

This level of detail removes many of the usual warning signs associated with phishing, as the communication feels routine, relevant, and timed to coincide with an upcoming stay.

As a result, victims are far more likely to comply, especially when the request appears consistent with what they expect from a legitimate provider.

According to data from the UK’s Action Fraud, hundreds of Booking.com-related scams have already been reported in recent years, with significant financial losses, and the concern now is that this breach will increase both the scale and success rate of these attacks.

A Pattern In The Travel Sector

Sadly, this incident is not happening in isolation. For example, travel platforms operate within complex ecosystems involving hotels, franchises, agents, and third-party service providers, and each connection introduces another potential entry point for attackers.

Recent breaches affecting airlines, rail services, and car hire firms all seem to have followed a similar pattern, with attackers gaining access through partners rather than the primary platform itself.

UK consumer group Which? has previously raised concerns about weak verification processes and the misuse of messaging systems within booking platforms, highlighting how easily fraudulent listings and communications can appear legitimate.

The result is an environment where trust is high but control is fragmented, making it easier for attackers to exploit gaps between systems and organisations.

What Has Booking.com Said About The Incident?

Booking.com has said it identified “suspicious activity” affecting a number of reservations and acted quickly to contain the issue, including updating reservation PINs and contacting affected customers directly.

The company has confirmed that unauthorised third parties were able to access certain booking information, but maintains that financial details were not exposed through its systems.

It has also stressed that it will never ask customers to share credit card details by email, phone, WhatsApp or text, or request payments outside the terms set out in the original booking confirmation.

While Booking.com has not disclosed how many customers have been affected or which regions are involved, it has urged users to remain vigilant and report any suspicious messages or payment requests.

Why This Breach Matters More Than It Looks

At first glance, the absence of stolen payment data may seem reassuring, but in reality this type of breach can be just as damaging.

Modern fraud relies less on stealing card numbers and more on manipulating behaviour, and when attackers know where someone is staying, when they are travelling, and how to contact them, they can craft messages that feel entirely credible.

The speed of exploitation is also notable, with reports suggesting phishing attempts began emerging within days of the breach being identified, indicating a coordinated effort to turn stolen data into immediate financial gain.

This effectively moves the incident from a passive data exposure to an active fraud campaign.

What Does This Mean For Your Business?

For organisations that store customer data or rely on third-party platforms, the incident highlights how exposure now extends well beyond internal systems.

Weaknesses within partner organisations can quickly become shared risks, particularly where access to customer data and operational platforms is interconnected, making supply chain security just as important as internal controls.

For Booking.com, the breach adds to ongoing scrutiny around platform security and fraud prevention, especially given the long-running issues with scams linked to its ecosystem, and increases pressure to strengthen both partner controls and customer protections.

Across the wider travel sector, the incident reinforces a persistent challenge, as platforms depend on large, distributed networks of hotels and service providers, creating multiple entry points for attackers and making consistent security standards difficult to enforce at scale.

For customers, the immediate risk lies in highly targeted phishing attempts that feel genuine, with real booking details being used to create convincing scenarios, making it far harder to distinguish between legitimate communication and fraud.

This also highlights how data that appears relatively low risk in isolation can become far more valuable when combined, particularly when it enables attackers to construct believable, real-world narratives that bypass normal scepticism.

In response, there is a growing expectation that platforms will take a more active role in protecting users, whether through stronger partner authentication requirements, improved monitoring of messaging systems, or clearer safeguards around how and when payments should be made.

At the same time, customers are being urged to remain cautious, particularly when asked to make payments or share sensitive information, even if the request appears to come from a known provider or references a genuine booking.

The Booking.com breach demonstrates how quickly stolen data can be turned into targeted, real-world attacks when it is rich in context, reinforcing a broader point for businesses that security is no longer just about protecting systems, but about understanding how data could be used against the people who trust them with it.

France is planning to replace parts of its government use of Windows with Linux, signalling a wider shift across Europe to reduce reliance on US technology and regain control over critical digital infrastructure.

A Move From Windows To Linux-Based Alternatives

The French government has confirmed that it will begin moving some public sector systems away from Microsoft Windows in favour of Linux-based alternatives, starting with workstations within its digital agency, DINUM.

This is not an isolated technical decision but is part of a broader state-led strategy to reduce dependence on non-European technology providers across multiple areas, including operating systems, collaboration tools, cloud platforms, and data infrastructure.

In an official statement, the French government explained its position, saying: “The State can no longer simply acknowledge its dependence; it must break free… We can no longer accept that our data, our infrastructure, and our strategic decisions depend on solutions whose rules, pricing, evolution, and risks we do not control,” referring primarily to large non-European (US) technology providers.

This is what policymakers are increasingly referring to as “digital sovereignty”.

What Digital Sovereignty Really Means

At its core, digital sovereignty is about control. It essentially means having the ability to decide how systems are built, where data is stored, who has access to it, and how services can be used or withdrawn. It also means reducing exposure to external political, legal, and commercial pressures that sit outside national or regional control.

France’s approach reflects a growing belief that relying heavily on foreign-owned platforms, particularly those based in the United States, creates risks that go beyond cost or vendor lock-in.

As another French government statement put it, “Digital sovereignty is not optional, it is a strategic necessity.” In short, this highlights a situation where the issue is no longer just about which software works best, but about whether a country can actually rely on the systems it depends on.

Why US Tech Dependence Is Now Seen As A Risk

The concern is not simply that US companies dominate global technology markets, but that they operate under US law and political control, which can change quickly and have far-reaching consequences.

That risk has come into sharper focus under the current administration of Donald Trump, where foreign policy has become more unpredictable and, at times, openly confrontational, with sanctions and political pressure being used more aggressively against perceived opponents.

One example is the use of sanctions powers by the US government, where organisations or individuals can effectively lose access to digital services if companies are required to comply. In some recent cases, this has reportedly led to email accounts being shut down and access to financial and digital systems being restricted.

This is no longer viewed as a theoretical risk, and European policymakers and analysts increasingly point to real-world situations where access to email, cloud services, or financial systems has been disrupted due to geopolitical decisions.

From a European perspective, that creates a situation where critical infrastructure could be affected by actions taken outside its control, regardless of whether the technology itself is secure.

As Thierry Carrez of Linux Foundation Europe has noted in industry discussions, technical safeguards cannot fully protect against a scenario where a provider is legally required to withdraw service. That is the risk France and others are now trying to reduce.

A Wider European And UK Concern

France is not acting alone. Across the European Union, there is now a coordinated effort to identify and reduce reliance on foreign technology providers.

For example, the European Parliament has already directed the European Commission to assess areas of dependency, and several countries, including Germany and the Netherlands, are investing in open-source and sovereign alternatives.

Also, in the UK, similar concerns are being raised. A recent report from the Open Rights Group warned that “this over-reliance on foreign tech companies is now an urgent national security issue as well as an economic threat,” highlighting how deeply embedded US technology has become in public infrastructure.

The report also pointed to the broader implications of that dependence, noting that a small number of companies have been able to “gain control of the UK’s digital infrastructure, locking the government into wasteful contracts and shaping tech policy in their favour.”

This is not just about technology choices. It is about influence, control, and resilience.

What This All Means In Practice

Moving away from platforms like Windows is only one part of a much larger shift.

Governments are increasingly looking at alternatives to widely used tools such as Microsoft 365, Google Workspace, and US-based cloud services, often favouring open-source solutions or locally hosted platforms.

France, for example, has already begun replacing Microsoft Teams with a domestically developed video conferencing tool and is planning to migrate sensitive health data to a “trusted” platform under its own control.

That said, there is also a recognition that full independence is neither realistic nor necessary, and digital sovereignty is better understood as reducing reliance on any single provider or jurisdiction, rather than attempting to eliminate external technology altogether. That means diversification, interoperability, and greater visibility over where risks exist.

What Does This Mean For Your Business?

For businesses across the UK and Europe, this raises some important questions about reliance on major technology providers.

Many organisations are deeply integrated with platforms such as Microsoft, Google, and Amazon, often without fully considering the broader implications of that dependence.

The growing focus on digital sovereignty suggests that resilience is becoming just as important as functionality or cost, particularly where critical systems and sensitive data are involved.

It also highlights how legal and geopolitical factors can now directly affect access to technology, not just its availability or performance.

In practical terms, this does not mean businesses need to abandon existing platforms, but it does mean understanding where dependencies exist and how they could impact operations if circumstances change.

For technology providers, there is also increasing pressure to demonstrate transparency, data control, and regional independence, particularly as governments and large organisations reassess their long-term strategies.

France’s move away from Windows is unlikely to be the last of its kind, and it reflects a broader shift in thinking that is gathering pace.

The key takeaway here is that technology decisions are no longer purely technical. They are becoming strategic choices about control, resilience, and trust in an increasingly uncertain global environment.

Google is introducing a new spam policy targeting “back button hijacking”, a deceptive tactic that traps users on websites, with penalties that could see offending sites pushed down or removed from search results.

Spam Policy Change Under “Malicious Practices”

Google has confirmed that from 15 June 2026, back button hijacking will be treated as an explicit violation of its spam policies under “malicious practices”.

This means websites using the technique could face manual penalties or automated ranking drops in Google Search, significantly reducing their visibility and traffic.

The company says the move is in response to a growing number of sites using manipulative tactics that interfere with how users expect the web to work.

In its announcement, Google made the reasoning clear, stating that the behaviour “breaks the expected user journey” and leaves people feeling manipulated.

What Is Back Button Hijacking?

Back button hijacking is a relatively simple concept, but one that most users will have experienced at some point.

It happens when a website interferes with a browser’s back button so that clicking it does not take the user back to the previous page as expected. Instead, users may be redirected to another page, shown unwanted content, or kept within the same site.

In some cases, additional pages are silently inserted into the browser history, creating the illusion that the user has navigated normally when they have not.

The result is a browsing experience that feels confusing and, at times, deliberately obstructive.

This type of behaviour undermines one of the most basic assumptions of the web, that users are in control of their own navigation.

Why Is Google Acting Now?

Google has said it has seen a noticeable rise in this kind of behaviour, which has pushed it to act more explicitly.

While similar practices have long been discouraged, this is the first time back button hijacking has been clearly defined as a standalone violation within Google’s spam policies, signalling a more direct approach to enforcement.

This practice sits within a wider rise in so-called “dark patterns”, where design or technical tricks are used to nudge or trap users into actions they did not intend, with back button hijacking being a clear example that undermines the basic user experience and breaks the expectations people have of how the web should work.

How These Web Tactics Are Being Used

In many cases, back button hijacking is implemented through scripts that manipulate browser history or intercept navigation events.

For example, users might click a search result, land on a site, and then find that pressing “back” does not return them to the search results, but instead cycles through pages they never intended to visit. This can be used to keep users on a site longer, increase ad impressions, or funnel them through affiliate links.

It should be noted here, however, that it is not always deliberate. Google has acknowledged that some instances may come from third-party advertising networks, plugins, or embedded libraries that site owners are not fully aware of.

This means businesses could end up being penalised for behaviour they did not even realise was happening.

Back Button Hijacking – The Consequences And Penalties

Now Google has decided to act, the consequences of being caught using back button hijacking could be significant. Google has made it clear that sites engaging in the practice may face ranking demotions or, in more serious cases, removal from search results altogether.

For businesses that rely on organic search traffic, this could have a direct and very serious impact on visibility, enquiries, and revenue.

However, Google has also said that sites which fix the issue can request reconsideration, suggesting the focus is on correcting behaviour rather than issuing permanent penalties.

The key point here is that enforcement will be both automated and manual, meaning detection could come from algorithms as well as human review.

What Does This Mean For Your Business?

For businesses with a website, this change is less about a specific tactic and more about a broader change in expectations.

Google is basically making it clear that interfering with user control, even indirectly, is no longer acceptable, and that technical implementations need to align with how users expect the web to behave.

That puts greater responsibility on organisations to understand not just their own code, but also the behaviour of third-party tools, plugins, and advertising platforms integrated into their sites.

It also highlights how user experience is now directly tied to search performance, and practices that frustrate or mislead users are increasingly being treated in the same way as traditional spam.

For many organisations, this will mean taking a closer look at how their website behaves in real-world use, particularly around navigation, redirects, and history handling.

It also means that search engines are now moving beyond content quality alone and are placing more weight on whether a site behaves in a way that users trust.

Google’s move against back button hijacking is a relatively small technical change on the surface, but it reflects a much bigger direction of travel. It seems that the web is being pushed back towards a model where users remain more in control, and where attempts to manipulate that control come with some clear consequences.

UK police forces have awarded a £25 million no-bid contract to keep decades-old radio systems running, highlighting the growing cost and complexity of replacing critical national infrastructure.

Issued by the Police Digital Service

The contract, issued by the Police Digital Service to Motorola Solutions and Sepura, extends support for the UK’s Airwave communications network, which is based on Terrestrial Trunked Radio (TETRA) technology first introduced in the early 2000s.

The six-month extension, running into 2027, covers radios, software, maintenance, and support services, and has been awarded without competition to existing suppliers, including Motorola and Sepura.

Officials say the decision was necessary to ensure that police, fire, and ambulance services can “remain fully operational” while the long-delayed replacement system is still under development. As the official notice from the Police Digital Service states, “a short extension of the TETRA Contract… is required to ensure that public safety agencies… can remain fully operational on the TETRA-based UK Airwave network until the broadband-enabled Emergency Services Network (ESN) is ready for deployment.”

Why The Old ‘Airwave’ System Is Still In Place

Airwave (the UK’s current emergency services communications network) was originally due to be replaced by the Emergency Services Network (ESN), a 4G-based system intended to modernise communications and reduce long-term costs. The programme was first proposed in 2012, with an initial target go-live date of 2017.

However, that timeline has slipped significantly, and current expectations suggest ESN may not be fully operational until 2029, making it more than a decade late.

In the meantime, the existing system, despite its age, remains the backbone of emergency communications across the UK.

This has created a situation where legacy technology must be maintained far longer than originally planned and at increasing cost.

Why There Was No Competitive Tender

The lack of competition is one of the most controversial aspects of the deal.

For example, in normal circumstances, contracts of this size would be subject to open procurement. In this case, officials argue that technical and operational realities leave little choice.

Although TETRA is an international standard, the UK’s Airwave system uses proprietary encryption and strict certification requirements, meaning only a small number of suppliers are approved to provide compatible equipment.

Bringing in a new supplier would require a lengthy accreditation process, potentially taking longer than the remaining lifespan of the system itself. As the procurement notice explains, “onboarding any new supplier… would require an extended period of time, likely exceeding the published ESN delivery schedule.”

There are also practical risks to be considered. Introducing new equipment or providers could require retraining staff, re-certifying devices, and integrating with existing command and control systems, all of which could disrupt frontline operations.

From that perspective, sticking with existing suppliers is seen by many as the least risky option.

The Cost Of Delay

The bigger issue is the wider delay and cost overruns behind the replacement programme. Maintaining Airwave while building ESN has already cost an estimated £11 billion over the past decade, according to the National Audit Office.

The ESN programme itself is reported to be around £3 billion over budget, with repeated delays pushing it further into the future.

This has led to a double cost problem, with the UK continuing to fund an ageing system while also investing in its replacement, without yet realising the benefits of either.

The latest £25 million extension is relatively small in that context, but it reinforces a pattern of incremental spending driven by delays rather than strategic choice.

Arguments For The Decision

Supporters of the contract argue that, despite appearances, it reflects a pragmatic response to a difficult situation.

Emergency communications systems are mission-critical. Any failure could have direct consequences for public safety, meaning reliability takes priority over cost or modernisation.

Airwave, while old, is widely regarded as stable and resilient, with coverage and performance that frontline services trust.

There is also a strong argument that introducing new suppliers or rushing a transition could create more risk than it removes, particularly given the complexity of integrating communications across multiple emergency services.

From this perspective, the contract is less about maintaining outdated technology and more about ensuring continuity until a viable alternative is ready.

Arguments Against The Decision

Critics have raised concerns that awarding a no-bid contract limits competition and may not deliver the best value for money, particularly given the scale and duration of these supplier relationships.

Motorola’s role has attracted particular scrutiny in the past, as the company has been involved in both the Airwave system and aspects of the ESN programme, prompting concerns about conflicts of interest and pricing power.

More broadly, the situation highlights the risks of vendor lock-in, where reliance on a small number of suppliers limits flexibility and increases long-term costs.

There are also questions about accountability. A project that is more than a decade late and billions over budget inevitably raises concerns about planning, governance, and delivery.

For critics, the latest contract is not just a stopgap, but a symptom of a much larger problem.

What Does This Mean For Your Business?

While this is a public sector issue, the underlying lessons are widely applicable.

Many organisations rely on legacy systems that are deeply embedded in their operations, often because replacing them is more complex and risky than expected.

The Airwave situation shows how quickly timelines can slip and how expensive it can become to maintain old systems while attempting to introduce new ones.

It also highlights the importance of understanding supplier dependencies. Where systems rely on proprietary technology or limited vendors, switching options can become restricted, particularly under time pressure.

Also, this case underlines the need to balance innovation with operational stability. Moving too slowly can increase costs and risk, but moving too quickly can introduce disruption that organisations are not prepared to handle.

For most businesses, the answer lies somewhere in between, with careful planning, realistic timelines, and a clear understanding of both technical and commercial constraints.

The UK’s decision to extend its reliance on a 2000-era communications system may appear surprising at first glance, but it reflects a reality many organisations face. Replacing critical technology is rarely straightforward, and when it goes wrong, the consequences can last for years.

Anthropic’s new Mythos AI model is raising serious concerns after tests showed it can independently find and exploit software vulnerabilities, signalling a major change in how cyber risk may develop in the near future.

Mythos AI Brings A New Level of Capability

The model, developed by Anthropic as part of its Claude family, has not been released publicly and is instead being restricted to a small group of partners.

This caution reflects what the model is capable of. For example, in its own technical assessment, Anthropic said Mythos is “strikingly capable at computer security tasks”, with the ability to identify and exploit weaknesses across real-world systems.

In some cases, the model has been shown to discover previously unknown vulnerabilities and produce working exploits with minimal or no human input. Anthropic also noted that “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”

That represents a clear break from earlier AI tools, which have largely focused on assisting developers or identifying issues rather than acting on them.

Why Anthropic’s Mythos Is Raising Concern

The implications have quickly moved beyond the technical community, with regulators, central banks, and government officials now assessing what this type of capability could mean at scale.

Institutions including the Bank of England have already highlighted the potential impact on financial stability, particularly in sectors that rely on complex and interconnected IT systems.

The issue is not simply that vulnerabilities exist, but that the speed and scale of discovery may increase significantly.

In its own assessment, Anthropic warned that “the fallout – for economies, public safety, and national security – could be severe” if such capabilities are not carefully managed.

Traditional vulnerability discovery has always been a time-intensive process requiring specialist expertise, so a model that can carry out that same work rapidly across large codebases fundamentally changes the balance by reducing the time organisations have to respond before weaknesses are identified and potentially exploited.

How Access To Mythos Is Being Controlled

Anthropic has responded to the many concerns by limiting Mythos to controlled use through its Project Glasswing programme. Here, selected partners, including major technology providers and financial institutions, are being given access to test their systems and identify weaknesses before attackers can do the same.

It seems that there is a pretty clear defensive case for this, as the same capability that allows the model to uncover vulnerabilities can also be used by organisations to strengthen their systems more effectively.

Anthropic has framed this as a coordinated effort to prepare the industry, describing the model as “a watershed moment for security” that requires “substantial coordinated defensive action across the industry.”

However, the underlying tension remains, since tools that improve defensive capability can also lower the barrier for attackers if they become widely available or are replicated elsewhere.

An Escalating Security Dynamic

One of the key questions is how quickly these kinds of advanced AI-driven cyber capabilities will spread beyond controlled environments. Cybersecurity has always involved a balance between attackers and defenders, but Mythos suggests that balance may become more volatile as both sides begin to rely on increasingly capable AI systems.

If tools like this become accessible beyond controlled environments, the level of expertise needed to carry out sophisticated attacks could fall sharply, meaning people with far less experience could carry out attacks that previously required highly skilled specialists.

It’s also likely that organisations will respond by adopting similar technologies to automate how they test systems, monitor for risks, and fix vulnerabilities more quickly.

This all points towards a faster-moving environment where advantage depends on how quickly organisations can identify and respond to threats, rather than simply preventing them.

Questions Still Remain

Despite the level of concern, there is still uncertainty around how significant a leap Mythos represents in practice. For example, much of the evidence so far comes from Anthropic’s own testing, and independent verification remains limited. Early external assessments suggest the model is highly capable, but not necessarily far beyond previous systems in every scenario.

There is also a broader context to consider here. AI developers have previously taken cautious approaches to releasing powerful models, sometimes accompanied by strong warnings about potential misuse.

Even so, the broader trend is clear, with incremental improvements in capability having a substantial real-world impact when applied at scale, particularly in areas like cybersecurity where speed and automation already play a critical role.

What Does This Mean For Your Business?

For most organisations, Mythos will not be something they use directly in the short term, but the changes it represents are already relevant.

Faster vulnerability discovery means faster potential exploitation, which increases the importance of keeping systems updated, monitoring for unusual activity, and responding quickly when issues are identified.

Many organisations operate complex environments that include legacy systems, third-party software, and shared infrastructure. These environments often contain weaknesses that are not fully visible until something exposes them, and tools like Mythos show how quickly those gaps could be uncovered.

Cybersecurity is becoming a more dynamic challenge as AI capabilities continue to develop, increasing the pace at which threats evolve and requiring more adaptive approaches alongside stronger baseline protections.

There is also now a broader strategic consideration, as AI is no longer just improving productivity but is beginning to change how risk itself is created and managed, meaning organisations that recognise this early will be better prepared to respond as these capabilities develop.

Anthropic’s Mythos model is not yet widely available, and its full impact is still being assessed, but it offers a clear signal of what is coming next. The organisations that respond effectively will be those that recognise the change early and adjust their approach before the wider landscape catches up.

More than 30 trusted WordPress plugins were bought by an attacker and then secretly altered to carry malware, exposing a major weakness in how the platform relies on trust.

The plugins, sold via Flippa for a six-figure sum, were updated in August 2025 with hidden backdoor code disguised as a routine compatibility fix. The attacker then waited eight months before activating it, allowing the plugins to build trust across thousands of sites.

In April 2026, the payload was triggered, injecting code into critical files and serving SEO spam only to search engines, leaving site owners unaware. WordPress shut down 31 plugins, but compromised sites required manual cleanup.

A separate attack on Smart Slider 3 Pro, affecting 800,000+ sites, showed the same weakness: trusted plugins can push malicious updates with no code signing or ownership checks.

Businesses should treat plugins as a supply chain risk. Limit usage, review updates carefully, monitor key files, and keep clean backups to recover quickly if compromised.