The Autoriteit Persoonsgegevens (AP) is fining Booking.com 475,000 euros for reporting a data breach to the AP too late. In the data breach, criminals captured personal data of more than 4,000 customers. In the process, they were also able to get their hands on credit card data of nearly 300 victims.
Criminals extracted by phone from employees of 40 hotels in the United Arab Emirates login credentials to their accounts in a Booking.com system.
For example, in December 2018, the criminals gained access to the details of 4,109 people who had booked hotel rooms in that country through the booking site. This included their names, addresses and phone numbers and details about their booking.
In the process, the criminals also accessed the credit card information of 283 people. In 97 cases including the credit card's security code. In addition, they tried to obtain the credit card information of other victims by pretending to be Booking.com employees by mail or phone.
'Booking.com customers here were at risk of being substantially robbed,' said AP vice president Monique Verdier. 'Even if the criminals did not capture credit card data but only someone's name, contact details and information about his or her hotel booking. In fact, the scammers used that data for phishing.'
'By pretending by phone or email to be from the hotel, they tried to take money from people. That can be very credible if such a scammer knows exactly when you booked which room. And asks you to pay for those nights. The damage can be considerable," Verdier said.
Booking.com was notified of the data breach on Jan. 13, 2019, but did not report it to the AP until Feb. 7. That's 22 days late. In fact, it is mandatory to report a data breach within 72 hours.
Booking.com notified affected customers of the leak on Feb. 4, 2019. In addition, the company took other measures to mitigate the damage, such as offering to compensate any damages.
'This is a serious breach,' Verdier says. 'Unfortunately, a data breach can happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and repetition of such a data breach, you need to report it on time.'
'That speed is of great importance. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. In order to prevent criminals, for example, from having weeks to continue trying to defraud customers.'
Verdier: "Such a large company, with valuable personal data of millions of customers in its systems, has a great responsibility. Customers entrust their personal data to Booking.com. And it must do everything possible to protect the data properly. That means good security to prevent a leak, but also quick action should things unexpectedly go wrong.'
Booking.com is not appealing or objecting to the AP's fine.
The Booking.com study was an international study. It is an international company with customers from different countries. Booking.com has its global headquarters in the Netherlands. That is why the AP conducted this investigation. Because it is an international issue, the AP coordinated the investigation with the other European privacy regulators.
The data breach notification requirement means that both companies and governments must report immediately (and no later than 72 hours) to the AP when they have a serious data breach. In certain cases, they must also report the data breach to the people whose personal data has been leaked. Reporting a data breach is done through the AP's Data Breach Notification Office.
The AP signaled an explosive increase in the number of hacks aimed at capturing personal data in 2020. The number of reports increased by as much as 30% in 2020 compared to 2019. That's according to the 2020 Data Breach Report. Data theft is often preventable through better security.
Want to know all the ins and outs about this penalty decision? Then click here.
