Fined €475,000 For Late Data Breach Reporting

The Dutch Data Protection Authority (AP) has imposed a €475,000 fine on for reporting a data breach to the AP too late. Cybercriminals exfiltrated the personal data of more than 4,000 customers and they were also able to obtain the credit card details of nearly 300 victims.


Hackers extracted login credentials of victims’ accounts in a system from employees of 40 hotels in the United Arab Emirates by telephone.

In December 2018, attackers gained access to the data of 4,109 people who had booked a hotel room in UAE via This included their names, addresses and telephone numbers and details about their booking.

The criminals also stole the credit card details of 283 people, including the security code of the credit card in 97 cases. In addition, they tried to obtain the credit card details of other victims by posing as an employee of by email or telephone. customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details, and information about his or her hotel booking. The scammers used that data for phishing. By pretending to be a hotel representative by phone or email, they tried to take money from people. This can be very credible if a scammer knows exactly when you have booked which room. And asks if you want to pay for those nights. The damage can then be considerable.AP Vice President Monique Verdier was notified of the data breach on January 13th, 2019, but did not report it to the AP until February 7th. That is 22 days late. The GDPR mandates that companies must report data breaches within 72 hours. notified affected customers of the leak on February 4th, 2019. In addition, the company took other measures to limit the damage, such as the offer to compensate for any financial losses.

This is not the first time is dealing with such an attack. In November 2020, the company was hit with another hack with millions of its customers’ data potentially exposed.

Verdier argued that this was a serious violation of the trust that millions of customers place in the platform to keep their details safe. Online firms’ obligations don’t just extend to best practice cybersecurity controls, she claimed, but also to reacting quickly if and when things do go wrong.

A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.AP Vice President Monique Verdier

According to AP, will not contest the fine.

Similar Posts