Security breach at Visit Inari exposes customer data in Finland

Tommi Lappalainen, CEO of Visit Inari, has reported a security breach in the company’s reservation system, allowing online fraudsters to access and steal customer information. The compromised data includes phone numbers, email addresses, credit card types, the last four digits of those cards, as well as reservation details like dates and prices. This information enabled the scammers to send convincing chat messages via Booking.com, demanding payments from customers in lieu of booking fees.

The breach occurred on October 21 at 19:14. It was discovered the following Friday when customers began inquiring about unusual chat messages. According to Lappalainen, fraudsters have successfully extracted hundreds to over a thousand euros from clients, equivalent to their respective booking amounts. Customers have only lost money if they interacted with the scam messages. Some may be able to recover their funds through credit card companies.

Lappalainen explained that the fraudsters gained access to the reservation system after an employee mistakenly clicked a link in Google search results, which redirected them to a fraudulent site that appeared legitimate. This link revealed the employee’s login credentials to the scammers, who then accessed the genuine system to collect sensitive data. Although the reservation system operates separately from Booking.com, the fraudsters leveraged the customer information to send credible messages through the platform. The breach pertains only to reservations made before October 21 at 19:14.

Visit Inari is urging customers to report any new suspicious chat messages received via Booking.com. Further information is available on Visit Inari’s website. Lappalainen noted that the company received significant assistance from Arctic Snowhotel & Glass Igloos, which experienced a similar scam just weeks prior.