There are many more hotels than just two involved now and the common point is booking dot com ( BDC)
One of the Trip Advisor threads relates how the website interface used by hoteliers to access their BDC info is only protected by a 4 digit pin, so all you need is to select a hotel and try a PIN. Keep using the same PIN across multiple hotels, you'll soon enough find a valid hotel/pin combination. Thats one way they could be getting in.
This is also very targeted fraud, its not just done only by email, they are phoning out to "marks", and answering the phone to enquiries (using a supposedly BDC phone number in the email, obviously its the scammers)
So, this is a low volume operation, might only be a handful of people operating it, there is no point blasting any info gained out or selling it, each "mark" needs careful treatment, plus the fact there isnt a mass email going out pretty much proves its selective access, eg not every single BDC booking has been compromised.
IMO BDC's public response is pretty pathetic, all they have done is put out a bland email about crooks targetting credit card numbers, when its bank transfers (no doubt via mules) they are using.