Booking.com Fined $558,000 for Late Breach Notification

A major hotel bookings site has been fined €475,000 after failing to report a serious data breach within the time period mandated by the General Data Protection Regulation (GDPR).

Booking.com suffered the breach back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE).

After obtaining their login credentials to a Booking.com system, they were able to access the personal details of over 4100 customers who had booked a hotel room in the UAE via the site. Credit card details on 283 customers were also exposed, and in 97 cases the security (CVV) code was compromised.

“Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing,” explained Monique Verdier, VP of the Dutch Data Protection Authority (AP).

“By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room, and asks if you want to pay for those nights. The damage can then be considerable.”

Although the breach does not appear to have been Booking.com’s fault, its response was found wanting.

The travel giant, which is headquartered in the Netherlands, was notified of the incident on January 13 2019, but didn’t report it to AP until February 7 — 22 days later. The GDPR mandates strict rules to report within 72 hours.

Verdier argued that this was a serious violation of the trust that millions of customers place in the platform to keep their details safe. Online firms’ obligations don’t just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong.

“A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time,” Verdier said.

“That speed is very important: in the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers — to prevent criminals from having weeks to continue trying to defraud customers, for example.”

Booking.com will not contest the fine, according to AP.

What’s Hot on Infosecurity Magazine?