€475,000 Penalty for Booking.com

Booking.com has been sanctioned with a GDPR penalty of €475,000 ($560,000) due to a failure to report a data breach inside of the time limit stated in the European Union’s General Data Protection Regulation (GDPR).

The GDPR breach in question occurred in 2018 in the United Arab Emirates (UAE) when telephone hacker infiltrated some 40 employees across a range of hotel locations. The cybercriminals obtained login credentials for the Booking.com database and downloaded the personal details of over 4,100 customers of the online travel booking database.

In addition to this credit card information for 283 customers was also exposed, and in 97 instances the CVV code was also obtained. In 97 cases the CVV code was also impacted and those responsible also made efforts to steal the credit card information of other victims by pretending to be working for of Booking.com using email and telephone messages. As a result of the breach Booking.com users were in dangers of having their data used for phishing purposes.

Booking.com HQ, located in the Netherlands, was informed of the GDPR breach on 13 January 2019 but did not file an official report with the Dutch Data Protection Authority until February 7, some 22 days following this point in time. GDPR legislation requires that data breaches are made known in no more than 72 hours once the company discovers it.

Responding to the GDPR penalty Booking.com released a statement that said: “The Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question.”

Monique Verdier, VP of the Dutch Data Protection Authority (AP) said: “Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing. By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room, and asks if you want to pay for those nights. The damage can then be considerable.”

Verdier went on to say that this breach represents a significant breach of trust that use the platform and that online companies responsibilities do not just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong.

She added: “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time. That speed is very important: in the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers — to prevent criminals from having weeks to continue trying to defraud customers, for example.”