The Dutch Data Protection Authority has fined hotel booking website Booking.com €475,000 ($560,000) for reporting a security incident 22 days after it happened, in breach of EU GDPR regulations that dictate that all breaches must be disclosed within 72 hours.
According to a copy of the fine’s text, obtained by The Record, the fine was imposed for a security breach that took place in December 2018, after hackers gained access to the Booking.com login credentials for employees of 40 hotels in the United Arab Emirates.
At the time, the hackers accessed the Booking.com platform and collected the details of 4,109 people who booked a hotel room in the UAE via the Dutch company’s site.
The intruders also viewed the payment card data for 283 people, including the security code for 97 cards, and Dutch officials said the hackers also called some customers posing as Booking.com employees in order to collect additional payment card details.
The Dutch privacy watchdog said it fined the company because it learned of the breach on January 13, 2019, but notified authorities only on February 7, 22 days after the standard three-day GDPR breach reporting deadline had expired.
“This is a serious violation,” said Monique Verdier, vice-president of the Dutch Data Protection Authority. “‘A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
Booking.com admits guilt, doesn’t dispute fine
Reached out for comment, a Booking.com spokesperson admitted to the company’s failure.
“We appreciate the open communication with the Dutch DPA on this matter and the increased clarity this decision brings for Booking.com and other companies around the strict and timely notification requirements under GDPR,” the spokesperson told The Record in an email.
But the booking platform also wanted to clarify a few other points.
It is important to note that the Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question. In fact, the DPA report acknowledges Booking.com’s transparent and open handling of this incident, including how we subsequently supported affected customers and partners, which has led them to actually reduce the standard amount of the fine by €50,000.Booking.com spokesperson
With respect to the incident itself from late 2018, it is important to note that while a small number of hotels inadvertently provided their Booking.com account login details to online scammers, there was no compromise of the code or databases that power the Booking.com platform. After receiving the first reports of suspicious activity on January 13, 2019, we began working to understand and resolve the issue, but unfortunately didn’t get the matter escalated as fast as we would have liked internally, which led to the late notification of the incident to the Dutch DPA. As such, we have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process, so that we can meet reporting deadlines with the DPA.Booking.com spokesperson
Booking.com also told The Record that they notified all customers impacted by the December 2018 breach on February 4, 2019, even before notifying the DPA.
Booking.com was fined by Dutch authorities because the company is legally registered in Amsterdam, the Netherlands, and falls under the DPA’s authority.
Image via Booking.com Media Center