Mr. P.N.H from Hanoi booked a hotel in Phan Thiet City, Binh Thuan Province through the Agoda online platform, choosing to pay at the hotel. However, upon arrival, he was shocked to discover that his credit card information, including the 3-digit CVV code, had been compromised.
According to Mr. H., he made the booking through Agoda, and the booking code displayed detailed credit card information on Booking.com (Agoda is a subsidiary of Booking.com).
On August 30, in response to inquiries from the NLD newspaper regarding Mr. H.’s case, a representative from the bank that issued the customer’s card stated that the transaction “Booking did not comply with PCI DSS regulations on card encryption. The bank will work with the card organization and the card payment service provider.”
The exposure of credit card information, including the CVV code, poses a significant risk of financial loss for cardholders.
As a precautionary measure, the bank will reissue the card to assure the customer. The bank also clarified that Agoda had encrypted the card information, and there was no instance of full card details being displayed as claimed.
Agoda, on the other hand, asserted that it prioritizes the privacy of customer data and employs the highest security measures. They denied any data breach in this case, attributing it to human error. Agoda is currently working with the hotel to prevent similar incidents and reaching out to the customer to offer appropriate support.
According to Agoda’s privacy policy published on its official website in June 2024, the platform may collect “name, address, phone number, credit card details, email address…” when customers make a reservation. Additionally, they may share customer information with “travel service providers, third-party service providers, business partners, and companies within the same group.”
According to experts, the exposure of credit card information, including the 3-digit CVV code, poses a significant risk. There is a possibility of unauthorized charges or information theft for online payments, leading to financial loss for cardholders.
Some credit cardholders shared their experience of booking hotels on platforms like Agoda and Booking.com, recommending the use of international credit cards and setting spending limits for online transactions. They also suggested disabling online payment functionality when not in use to prevent information theft.
Mr. H.’s booking through Agoda displayed credit card information on Booking.com. The printout provided by the hotel staff also indicated that “you can view the guest’s credit card information two more times (!?)
“Agoda Customers Stunned by Credit Card Data Breach”
Offering a seamless online booking experience, a Hanoi-based customer shares their concern over the storage of their credit card details, including the card number and CVC code, which were saved in their customer profile at the resort.
