Booking.com fined for delay in reporting data breach
The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people.
In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking.
The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone.
‘Booking.com customers ran a risk of falling victim to serious theft,’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions.'
‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’
Breach reported 22 days too late
Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.
‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.'
‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’
According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’
Booking.com will not lodge an objection to or apply for review of the decision imposing the fine.
The investigation into the Booking.com breach was international in scope. The situation involved an international company with customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.
Obligation to report data breaches
The obligation to report data breaches means that both companies and public authorities must immediately (and in any case within 72 hours) inform the DPA if they suffer a serious data breach. In certain cases they must also inform the individuals whose personal data was leaked.
Explosive increase in data theft
In 2020 the DPA warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data. The number of reports in 2020 was 30% higher than in the previous year. Data theft can often be prevented by enhanced security.