Booking.com Fined €475,000 For Late Data Breach Reporting
The Online Travel Agency Delayed Reporting the Breach by 22 Days, Exceeding the 72-Hour Limit.
The Dutch Data Protection Authority (AP) has imposed a €475,000 fine on Booking.com for reporting a data breach to the AP too late. Cybercriminals exfiltrated the personal data of more than 4,000 customers and they were also able to obtain the credit card details of nearly 300 victims.
Hackers extracted login credentials of victims’ accounts in a Booking.com system from employees of 40 hotels in the United Arab Emirates by telephone.
In December 2018, attackers gained access to the data of 4,109 people who had booked a hotel room in UAE via Booking.com. This included their names, addresses and telephone numbers and details about their booking.
The criminals also stole the credit card details of 283 people, including the security code of the credit card in 97 cases. In addition, they tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.
Booking.com was notified of the data breach on January 13th, 2019, but did not report it to the AP until February 7th. That is 22 days late. The GDPR mandates that companies must report data breaches within 72 hours.
Booking.com notified affected customers of the leak on February 4th, 2019. In addition, the company took other measures to limit the damage, such as the offer to compensate for any financial losses.
This is not the first time Booking.com is dealing with such an attack. In November 2020, the company was hit with another hack with millions of its customers’ data potentially exposed.
Verdier argued that this was a serious violation of the trust that millions of customers place in the platform to keep their details safe. Online firms’ obligations don’t just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong.
According to AP, Booking.com will not contest the fine.