Travel services website Booking.com has been fined €475,000 (around $560,000) under GDPR laws after failing to report a data breach within the mandated timeframe.
The Netherlands-based company, which provides accommodation and flights, suffered a data leak back in 2018 when the personal and financial details of more than 4,100 customers were exposed online.
Telephone scammers targeted hotels in the United Arab Emirates, gaining the Booking.com login details of 40 employees and allowing them access the system.
They then stole the data of 4,100 users, including the credit card details of 283 customers – 97 of whom also had their card security number stolen.
Late Booking
Booking.com discovered the breach on January 13, 2019, but failed to report the incident to regulators until February 7, 2019. GDPR rules mandate that all breaches should be reported within 72 hours of discovery.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or ‘AP’) imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation.
AP vice president Monique Verdier said in a statement: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions.
“But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
Verdier added: “That speed is very important. In the first place for the victims of a leak.
“After such a report, the AP can, among other things, order a company to immediately warn affected customers. In this way, for example, to prevent criminals from having weeks to continue trying to defraud customers.”
Staff training
A spokesperson for Booking.com told The Daily Swig: “The Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question.
“A small number of hotels inadvertently provided their Booking.com account login details to online scammers, but there was no compromise of the code or databases that power the Booking.com platform.
“After receiving the first reports of suspicious activity, we began working to understand and resolve the issue, but unfortunately didn’t get the matter escalated as fast as we would have liked internally.
“We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels.
“The protection and security of personal data is and will remain a top priority at Booking.com.”
Source: https://portswigger.net/daily-swig/booking-com-fined-560-000-for-gdpr-data-breach-violation