Booking-com fined €475,000 for reporting data breach too late

The Dutch Data Protection Authority has fined hotel booking website €475,000 ($560,000) for reporting a security incident 22 days after it happened, in breach of EU GDPR regulations that dictate that all breaches must be disclosed within 72 hours.

According to a copy of the fine's text, obtained by The Record, the fine was imposed for a security breach that took place in December 2018, after hackers gained access to the login credentials for employees of 40 hotels in the United Arab Emirates.

At the time, the hackers accessed the platform and collected the details of 4,109 people who booked a hotel room in the UAE via the Dutch company's site.

The intruders also viewed the payment card data for 283 people, including the security code for 97 cards, and Dutch officials said the hackers also called some customers posing as employees in order to collect additional payment card details.

The Dutch privacy watchdog said it fined the company because it learned of the breach on January 13, 2019, but notified authorities only on February 7, 22 days after the standard three-day GDPR breach reporting deadline had expired.

"This is a serious violation," said Monique Verdier, vice-president of the Dutch Data Protection Authority. "'A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time." admits guilt, doesn't dispute fine

Reached out for comment, a spokesperson admitted to the company's failure.

"We appreciate the open communication with the Dutch DPA on this matter and the increased clarity this decision brings for and other companies around the strict and timely notification requirements under GDPR," the spokesperson told The Record in an email.

But the booking platform also wanted to clarify a few other points.

It is important to note that the Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to's security practices, nor to the overall handling of the incident in question. In fact, the DPA report acknowledges's transparent and open handling of this incident, including how we subsequently supported affected customers and partners, which has led them to actually reduce the standard amount of the fine by €50,000. spokesperson

With respect to the incident itself from late 2018, it is important to note that while a small number of hotels inadvertently provided their account login details to online scammers, there was no compromise of the code or databases that power the platform. After receiving the first reports of suspicious activity on January 13, 2019, we began working to understand and resolve the issue, but unfortunately didn't get the matter escalated as fast as we would have liked internally, which led to the late notification of the incident to the Dutch DPA. As such, we have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process, so that we can meet reporting deadlines with the DPA. spokesperson also told The Record that they notified all customers impacted by the December 2018 breach on February 4, 2019, even before notifying the DPA. was fined by Dutch authorities because the company is legally registered in Amsterdam, the Netherlands, and falls under the DPA's authority.

Image via Media Center

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.