Recent cyber incidents involving Booking.com and New South Wales-based Mastercom have drawn Australian consumers into the global cyber threat landscape.
Booking.com has notified customers, including users in Australia, that some reservation information was accessed by unauthorised third parties after suspicious activity was detected on its platform. In emails to affected users, the Netherlands‑headquartered travel site said it had identified unusual activity on a number of bookings and taken steps to limit the impact. The company’s investigation indicated that customer names, email addresses, phone numbers, and other details shared with accommodation providers may have been exposed in the incident.
In response, Booking.com has reset reservation and PIN numbers linked to the affected bookings and warned customers to watch for attempts by fraudsters posing as accommodation providers or as Booking.com representatives. “The security of your personal information is our utmost priority. We will continue to enhance and extend the robust security measures we have in place to secure your reservations with us,” the company said in its letter to customers, as reported by News.com.au. Customers have been advised to treat unsolicited links, payment requests, and credential prompts cautiously, especially where they refer to upcoming stays or booking details.
A Booking.com spokesperson said the firm had identified “suspicious activity by unauthorised third parties that accessed some of their guests’ booking information.” The spokesperson said: “Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests. We can confirm that financial information was not accessed from Booking.com’s systems. At Booking.com, we are dedicated to the security and data protection of our guests.” The platform has not disclosed how many customers were affected. The case illustrates aggregation risk where large volumes of personal data and travel itineraries are held by a single platform, as well as the potential for follow‑on phishing, impersonation, and payment fraud involving both policyholders and accommodation providers.
In a separate development, the INC Ransom hacking group has claimed to have compromised systems at Granville‑based Mastercom – a communications provider whose clients include transport, government, and emergency services organisations – and has published what it says is internal and customer data on its darknet leak site. According to cyberdaily’s report, INC Ransom first named Mastercom in an April 11 post, stating that it had obtained customer, human resources, and financial records. The group later released a larger dataset, including material associated with Queensland Communications, which Mastercom acquired in 2013.
The published files reportedly include folders tied to individual Mastercom employees and backup data. Information attributed to Queensland Communications includes a directory of more than 100 customer organisations and, in at least one example, fault reports that contain internal building layout details, photographs of cable installations, and locations of communications equipment. Mastercom managing director Hamish Duff acknowledged the situation in a brief statement to cyberdaily. “Thanks for contacting Mastercom. We are aware of the incident you are referring to. Steps were taken when it occurred, and we won’t be commenting further,” Duff said.
Mastercom provides two‑way radio and communications services to clients in transport and logistics, local government, emergency services, and aviation and ports. Along with other providers, it operates the Orion Network, which it describes as “Australia’s largest commercial two-way radio network,” and supplies two‑way radio emergency response services to state and federal police, the SES, and fire services. An incident involving a provider with links into emergency and public sector operations raises questions about third‑party and contingent business interruption exposures, as well as the handling of operational and site‑level information that may now be accessible to threat actors.
The Mastercom claim has again drawn attention to INC Ransom’s activities in Australia. The group has operated since 2023 on a ransomware‑as‑a‑service model, providing tooling to affiliates and receiving a share of any ransom payments. According to advisory material from the Australian Cyber Security Centre (ACSC), INC Ransom affiliates have increasingly focused on Australian professional services and healthcare entities. Recent incidents have involved initial access via compromised accounts, followed by privilege escalation through the creation of administrator‑level accounts, lateral movement within networks, deployment of malicious files with the name “win.exe” and, in some cases, exfiltration of personally identifiable and medical information. These tactics reflect ransomware trends seen by cyber insurers, including data theft before encryption, use of leak sites to increase pressure, and the combination of privacy and business interruption impacts in a single event. The continued use of ransomware‑as‑a‑service is influencing positions on minimum security controls, extortion and restoration sublimits, and panel incident response arrangements.
The Booking.com and Mastercom incidents align with patterns observed by QBE Insurance’s global cyber threat intelligence teams, which indicate that many events still originate from human behaviour or credential compromise rather than new attack types. QBE’s analysis points to phishing, stolen or misused credentials, and weak access controls as consistent entry points for attackers. Ransomware remains a significant driver of loss frequency, and Australia is identified among the more targeted jurisdictions for ransomware activity. The insurer also notes ongoing vulnerabilities in widely used enterprise software and the role of complex supply chains and third‑party providers as access routes into organisations.
Ben Richardson, cyber product lead at QBE Insurance Australia, said the data continues to show the central role of identity and user behaviour. “A consistent theme we’re seeing in our global threat intelligence is that cyber incidents are still being enabled by human behaviour and identity compromise. Phishing, credential misuse, and basic access weaknesses remain common entry points,” Richardson said. He added: “Cyber threats are fundamentally global. Our cyber teams see the same core threat drivers repeat across regions – ransomware, software vulnerabilities, and third-party exposure – which reinforces the importance of staying connected to international threat intelligence rather than looking at Australia in isolation.”
Richardson said cyber risk is increasingly treated as a governance and operational matter, not only an IT issue. He said insurers can support insureds before a loss through threat intelligence, guidance on governance frameworks, and executive‑level tabletop exercises that clarify decision‑making and escalation processes during an incident. “When an incident does occur, insurance not only provides financial support; it enables rapid access to experienced legal, technical, and response expertise. That early support can significantly reduce disruption, recovery time, and follow on impacts,” he said.
