Booking.com fined for delay in reporting data breach

Booking.com fined for delay in reporting data breach

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also obtained the credit card information of almost 300 people.

In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking.

The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone.

“Booking.com customers ran a risk of falling victim to serious theft,” said DPA Deputy Chair Monique Verdier, “even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for ‘phishing’ expeditions.”

Booking.com was informed of the data breach on January 13, 2019, but did not report it to the DPA until February 7, which is 22 days too late: data breaches must be reported within 72 hours. On February 4, 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

Verdier said, “Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.”

Booking.com will not lodge an objection to or apply for review of the decision imposing the fine.

In 2020 the DPA warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data. The number of reports in 2020 was 30% higher than in the previous year.

Browse our latest issue

Intelligent CISO

View Magazine Archive