Late Reporting of GDPR Breach Results in €475,000 Penalty for Booking.com

Booking.com has been penalised and fined to the tune of  €475,000 ($560,000) after being found guilty of failing to report a data breach within the time period set down by the European Union’s General Data Protection Regulation (GDPR).

The GDPR breach took place during 2018 in the United Arab Emirates (UAE) when telephone scammers targeted 40 employees at different hotels. The scammers gained login details to the the Booking.com database and accessed the personal details of more than 4,100 customers of the online travel booking system.

Credit card details on 283 customers were also exposed, and in 97 cases the CVV code was also compromised. In 97 cases the CVV code was also compromised. The hackers also attempted to obtain the credit card details of other victims. The hackers also tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone. Due to the breach Booking.com users were in dangers of having their data used for phishing.

The main office for the company, which is located in the Netherlands, was made aware of the GDPR on 13 January 2019 but did not submit a report of it to the Dutch Data Protection Authority until February 7, some 22 days later. This was despite the fact that GDPR legislation states that data breaches must be reported inside of 72 hours of the company becoming aware of them.

Monique Verdier, VP of the Dutch Data Protection Authority (AP) said: “Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing. By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room, and asks if you want to pay for those nights. The damage can then be considerable.”

Verdier went on to say that this breach represents a significant breach of trust that use the platform and that online companies responsibilities do not just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong. She said: “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time. That speed is very important: in the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers — to prevent criminals from having weeks to continue trying to defraud customers, for example.”

Responding to the GDPR penalty Booking.com released a statement that said: “The Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question.”