The Dutch Data Protection Authority (Autoriteit Persoonsgegevens -AP) has fined the online hotel booking company Booking.com €475,000 ($564,590) for “a serious violation” of the General Data Protection Regulation (GDPR).
In 2018, around 40 hotel employees in the United Arab Emirates were targeted by telephone scammers who obtained credentials that allowed them to access Booking.com’s systems, on which the personal data of more than 4,100 customers was stored. Those individuals had booked rooms at the various UAE hotels via the Booking.com website. The scammers obtained personal information such as names, addresses, and telephone numbers along with 283 credit card numbers and 97 CVV codes.
A breach such as this placed all 4,100 customers at risk, either of credit card fraud or phishing scams. The scammers used the personal information to contact many individuals by telephone and email, impersonating the hotel where they had booked to obtain credit card details.
The financial penalty was not imposed for the data breach itself, but the failure to report the breach to the Dutch DPA within 72 hours of discovering the breach, as required by Article 33 of the GDPR.
Booking.com was notified about the breach on January 13, 2019 but did not report the breach to the Dutch DPA until February 7, 2019 – 22 days after discovering the breach had occurred. Booking.com sent notifications to all affected customers on February 4, 2019 and offered to compensate them for any damages they had suffered as a result of the breach.
“A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time,” said Monique Verdier, Vice President of the Dutch DPA. “That speed is very important: in the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers — to prevent criminals from having weeks to continue trying to defraud customers, for example.”
The Dutch DPA said Booking.com has agreed to pay the financial penalty and will not contest the fine.