When a Donegal hotel group contacted us in late 2024, a three-week-old credential stuffing attack had already cost them over €80,000. The attackers had obtained login credentials from an unrelated data breach — a staff member had reused the same password across personal and work accounts — and used automated tools to test those credentials against the hotel's property management system. Once inside, they created fake reservations using stolen credit card numbers, modified payment routing on several legitimate bookings, and downloaded a guest database containing names, phone numbers, and passport details from over 2,000 stays. The hotel discovered the breach when a legitimate guest called to complain they could not access their reservation. By then, the damage was done.
The attack was not sophisticated. It exploited a combination of password reuse, the absence of multi-factor authentication, and no monitoring of unusual login activity. All three are fixable in a day. The €80,000 loss was not.
Why Booking Systems Are High-Value Targets
Your booking system is not a single piece of software. It is an interconnected ecosystem: a website booking engine, channel manager accounts across Booking.com, Expedia, and Airbnb, a property management system (PMS) holding guest profiles and payment data, payment processing connections, and the front-desk network used to access all of them. Each connection in that ecosystem is a potential entry point.
Attackers target hospitality booking systems because they are rich with exactly the data that has commercial value: credit card details, guest contact information, passport numbers in some cases, and payment routing that can be manipulated to redirect funds. The NCSC Ireland has flagged the hospitality sector as a growing target for credential-based attacks and payment fraud, consistent with trends across European tourism markets.[^1]
The vast majority of Donegal and North West accommodation businesses — hotels, guesthouses, self-catering properties, and glamping sites — manage their booking infrastructure with lean IT arrangements. The PMS vendor provides the software, a local IT provider manages the infrastructure, and security oversight sits in a gap between the two. That gap is where attacks happen.
Does your booking system have MFA enabled — and do you know who has admin access to your PMS right now? Book a free 20-minute strategy call — we work with Irish hospitality businesses to close the specific security gaps that attackers exploit in booking infrastructure.
The Three Attacks You Need to Know About
Credential stuffing is the most common attack affecting Donegal hospitality businesses. Attackers obtain username and password lists from data breaches affecting other services — a staff member's compromised social media account, a breached subscription service, a previous employer's data leak. They then use automated tools to test those credentials against your booking system, PMS, and channel manager accounts. If any of your staff have reused passwords across personal and professional accounts — and most people do — the attacker gains access without ever breaking any encryption. Once inside, they can create fake reservations, download guest data, or modify payment details. The attack is quiet, automated, and typically undetected until a guest or bank raises an alert.
Fake reservation fraud uses stolen credit card numbers to create bookings. The attacker's goal is either to test whether a stolen card number is valid, to claim a non-refundable deposit before cancelling outside the window, or to use the reservation infrastructure as a route into wider systems. The Data Protection Commission has received notifications from Irish hospitality businesses following fake reservation fraud where guest payment data was subsequently compromised.[^3]
Channel manager account compromise targets the accounts linking your PMS to Booking.com, Expedia, and other online travel agents. An attacker with access to your Booking.com extranet can modify your rates, mark rooms as unavailable, redirect payment payout accounts, or harvest guest contact details to use in follow-on phishing attacks. This specific attack vector increased significantly across European hospitality businesses in 2024 and has affected Irish properties in Donegal, Sligo, and Mayo.
The Controls That Stop These Attacks
The good news is that the three most common booking system attacks are all preventable with a small set of well-understood controls that cost little and take minimal time to implement.
Multi-factor authentication on every account is the single most effective control. Enable MFA on your PMS admin accounts, your channel manager logins, your Booking.com extranet, your payment processor dashboard, and any other booking-related platform. An Garda Síochána's National Cyber Crime Bureau consistently finds that MFA would have prevented the majority of credential stuffing attacks affecting Irish businesses — not because the technique is unavailable but because attackers move to easier targets when MFA is in place.[^2]
Unique passwords for every platform, managed through a password manager, close the credential reuse vulnerability that makes credential stuffing effective. A business-grade password manager costs under €5 per user per month and eliminates the need for staff to remember separate credentials for 12 different platforms.
Login monitoring — reviewing the admin login history for your PMS and channel manager accounts weekly — allows you to spot unusual access before it becomes a serious incident. Most modern PMS platforms provide an audit log. Checking it takes five minutes. The Donegal hotel group mentioned above had access to this log; they simply had no process for reviewing it.
Restricting admin access to the minimum necessary staff closes the blast radius of any future compromise. If your reservations manager does not need PMS admin access, they should not have it. If your finance director does not need access to the Booking.com extranet, remove it. Quarterly access reviews — who has what access and why — are a basic control that most hospitality businesses do not currently perform.
The controls that protect your booking system are not complex or expensive. They are simply not in place in most Donegal accommodation businesses.
Your GDPR Obligations
Guest data held in your PMS and booking system is personal data under GDPR. If that data is breached — through credential stuffing, a fake reservation attack, or any other means — you have a 72-hour notification obligation to the Data Protection Commission if the breach poses risk to your guests' rights and freedoms. A breach involving credit card numbers, passport details, or guest contact data almost certainly meets that threshold.
The DPC has investigated several Irish hospitality businesses following booking system breaches and has consistently examined whether appropriate technical measures were in place at the time — specifically MFA and access controls. Businesses that cannot demonstrate those measures were implemented face both regulatory findings and reputational consequences that extend beyond the technical incident.
What to Do This Week
Three actions for any Irish accommodation provider:
Enable MFA on all booking-related accounts today. Start with your PMS admin accounts and your Booking.com extranet login. Both platforms support MFA. This takes 20 minutes and stops the majority of credential stuffing attacks.
Audit who has PMS admin access. Pull the user list from your PMS and identify every account with administrative privileges. Remove access from anyone who no longer needs it. This is a five-minute task that materially reduces your exposure.
Check your PMS login audit log for the last 30 days. Look for logins at unusual times (overnight, weekends), from unfamiliar IP addresses or locations, or for accounts that should not have been active. Flag anything suspicious and change the relevant passwords immediately.
Related Reading
- Wedding Venue Data Security: GDPR Guide for Irish Venues
- Strong Password Policy for Irish SMEs
- What Happens to a Small Business After a Cyber Attack
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.