The Autoriteit Persoonsgegevens (AP) is wrapping up a period of intensified monitoring of Booking.com. The AP monitored for a year in 2023 whether Booking.com was properly complying with the rules around reporting data breaches, because the AP had indications that Booking.com previously did not always report data breaches on time. The AP now concludes that Booking.com was in good compliance with the rules around data breach reporting in 2023.
The AP fined Booking.com 475,000 euros (1) in 2021 for late notification of a data breach. In this leak, criminals captured personal data of 4,000 customers, including credit card information of 300 victims. In the period that followed, the company also possibly failed to report some data breaches to the AP on time.
By instituting more intensive monitoring, the AP wanted to ensure that Booking.com reports data breaches on time, both to the AP and to victims. Through 2023, Booking.com had to report on the measures it took to report data breaches to the AP on time. Booking.com also had to report on measures to prevent future incidents. In addition, the AP checked whether Booking.com unfairly failed to report certain incidents at all. During the period of intensified monitoring, the company was found to have actually reported all the incidents it was required to report.
As a major platform, Booking.com has a big responsibility to prevent personal data leaks, says AP vice president Monique Verdier: "Users hand over sensitive information, such as their credit card details. It is important that Booking.com protects this data well. Yet unfortunately, a data leak can happen anywhere, even if you have taken good precautions. To prevent damage to your customers and repetition of such a data breach, you must report the data breach to the AP in time, so that the AP can advise where necessary.'
During the intensified monitoring, Booking.com reported several fraud cases. In many of these cases, criminals managed to take over the account of accommodations on Booking.com. From the account taken over, guests were then scammed. The scammers asked customers to pay for the hotel room, for example, because something had allegedly gone wrong with a previous payment. Because the messages came through Booking.com's messaging system, they appeared authentic to customers.
Because of such incidents, the AP continues to keep a close eye on Booking.com. If there are signs that Booking.com is violating the law, the AP can always take enforcement action.
https://autoriteitpersoonsgegevens.nl/actueel/boete-bookingcom-voor-te-laat-melden-datalek
