Clicky

Booking.com Fined €475,000 For Late Data Breach Reporting

The Dutch Data Protection Authority (AP) has imposed a €475,000 fine on Booking.com for reporting a data breach to the AP too late. Cybercriminals exfiltrated the personal data of more than 4,000 customers and they were also able to obtain the credit card details of nearly 300 victims.

Source

Hackers extracted login credentials of victims’ accounts in a Booking.com system from employees of 40 hotels in the United Arab Emirates by telephone.

In December 2018, attackers gained access to the data of 4,109 people who had booked a hotel room in UAE via Booking.com. This included their names, addresses and telephone numbers and details about their booking.

The criminals also stole the credit card details of 283 people, including the security code of the credit card in 97 cases. In addition, they tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.

Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details, and information about his or her hotel booking. The scammers used that data for phishing. By pretending to be a hotel representative by phone or email, they tried to take money from people. This can be very credible if a scammer knows exactly when you have booked which room. And asks if you want to pay for those nights. The damage can then be considerable.AP Vice President Monique Verdier

Booking.com was notified of the data breach on January 13th, 2019, but did not report it to the AP until February 7th. That is 22 days late. The GDPR mandates that companies must report data breaches within 72 hours.

Booking.com notified affected customers of the leak on February 4th, 2019. In addition, the company took other measures to limit the damage, such as the offer to compensate for any financial losses.

This is not the first time Booking.com is dealing with such an attack. In November 2020, the company was hit with another hack with millions of its customers’ data potentially exposed.

Verdier argued that this was a serious violation of the trust that millions of customers place in the platform to keep their details safe. Online firms’ obligations don’t just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong.

A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.AP Vice President Monique Verdier

According to AP, Booking.com will not contest the fine.

Scroll to Top