PMS • Security

Created 30 June 2026 • Updated 30 June 2026

6 Steps to Protect Your PMS and Your Guests

Introduction

You may have already seen the news about the Booking.com data breach that came to light in April 2026 when unauthorised third parties accessed sensitive information including guest names, email addresses, phone numbers, home addresses, check-in and check-out dates, and reservation numbers.

Understandably, the question on most people's minds is less about what happened at Booking.com and more about what it might mean for them. Stolen data does not sit idle. In recent weeks, a number of operators have told us their guests received phishing messages on WhatsApp with convincing-looking messages that reference accurate booking details and include a malicious link requesting payment information to confirm an upcoming booking.

How the scam works

What makes these messages so convincing is how specific they are. A guest receives a WhatsApp message that may contain actual information related to a booking they’ve made – including the hotel, their check-in date and their reservation number. It looks legitimate, and asks them to click a link and make a payment to secure their booking.

From what’s been reported to us so far, the bookings involved have all been made through Booking.com. But there is one secondary point worth keeping in mind though: in a few cases, compromised credentials from the breach were used to access hotel systems where the same email address and password were reused across both platforms.

The good news, is that there are a few simple steps you can take to reduce the risk to your PMS, your data and your guests:

1 Review user accounts

The first and most impactful place to begin with a quick look at who currently has access to your PMS. In a busy operation, user accounts for team members who have moved on can quietly linger longer than anyone means them to.

Take the time to review your active accounts, remove anyone who no longer works with you, and prompt all remaining users to reset their passwords. It is a quick task that meaningfully reduces your risk.

2 Give every team member their own login

Shared logins are common in hospitality, but they become a real liability when credentials are compromised. If a shared account is accessed by an unauthorised party, there is no audit trail and no clean way to contain the problem.

Every member of your team should have their own unique login, using a work email address wherever possible. In Zonal's PMS, additional user accounts can be added at no extra cost, so there is no barrier to getting this right.

Where work email is not available for all staff, think carefully about what data a personal email account can access, and restrict permissions accordingly.

3 Apply least privilege across your accounts

Not everyone needs access to every part of your PMS, and that’s fine. Applying the principle of least privilege, giving each user access to what their role requires, limits the impact any single compromised account can have.

Zonal's PMS lets you define permissions based on roles, with granular control over what each user can view, action and export. If it’s been a while since you reviewed these settings recently, now is a good time take a look.

4 Don’t reuse the same password across platforms

When a breach like Booking.com happens, the risk doesn't always stay with the platform involved. If the same email and password are used elsewhere, those other accounts can be exposed too, even if they had nothing to do with the original breach.

Make sure your team knows not to reuse PMS credentials elsewhere

5 Consider IP restrictions for additional protection

For operators who want tighter control over where their PMS can be accessed, IP restrictions can be applied to the PMS to restrict access to specified IP addresses/ranges.

If you would like to explore this for your properties, our support team can walk you through the options.

6 If your guests have been targeted

If any of your guests have received phishing messages via WhatsApp or anywhere else, that relate to their bookings, please don’t hesitate to get in touch. We're here to help and can talk you through what to do next.

None of this is cause for alarm, but a breach like this is a useful prompt to check a few things over. The steps above take very little time, and together they make a real difference to how well protected your PMS, your data and your guests are. If you'd like a hand working through any of them, or you're simply not sure where to start, our support team is happy to help.

 


By Sarah Howard-Smith • Chief Information Security Officer

Sarah joined Zonal in 2021 as Head of Information Security before being appointed Chief Information Security Officer in 2024. As CISO, Sarah leads Zonal's security strategy across governance, compliance, technology and architecture, ensuring the business remains resilient against an ever-evolving threat landscape. She also holds Data Protection Officer responsibilities for the Zonal Group and is driving Zonal's AI strategy and adoption, carefully balancing innovation with data privacy and risk.