The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company reported a data breach to the DPA 22 days later instead of making the notification within the required 72 hours.
When the breach occurred, criminals accessed the personal data of over 4,000 customers including the payment card information of almost 300 people.
In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals managed to obtain from hotel staff the log-in details for their accounts in a Booking.com system.
The criminals then accessed the personal data of 4,109 people who had booked a hotel room in the UAE, (e.g. their names, addresses and telephone numbers and the details of their booking).
The criminals were also able to access the credit card information of 283 people and the security code of 97 of them.
The criminals also tried to obtain the credit card information of other victims, by acting as Booking.com staff in emails or on the telephone.
The data breach was reported 22 days too late
Booking.com was informed of the data breach on 13 January 2019, but report it to the DPA only on 7 February, that is 22 days too late. Indeed, the deadline for reporting data breaches is 72 hours under the GDPR.
On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.
Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation and coordinated the investigation with other European data protection authority.
Although the events that led to the data breach first occured in the UAE, we assume that it concerns individuals who made their reservation on an EU booking.com website.
Booking.com said that it will not lodge an objection to or apply for review of the decision imposing the fine.
The DPA Deputy Chair comments
According to the DPA deputy Chair, Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’
Explosive increase in data theft
The Dutch DPA took this opportunity to warn that, in 2020, it saw an explosive increase in the number of hacks aimed at stealing personal data (30% higher than in the previous year).
Given this explosive increase of data breaches lately, we may wonder if the GDPR obligations regarding the notification of data breaches has helped ensure more compliance or if, on the contrary, it has stimulated the appetite of hackers who now know they may hurt organisations even more than they used to.
Maybe the right balance should be struck, as the hackers attacking company’s system are neither identified nor sanctioned while negligent companies are vilified.