Booking.com Fined $560k for GDPR Violation

Multiple news sources are reporting that Booking.com has been fined $560,000 after failing to report a data breach during the time frame mandated by the General Data Protection Regulation (GDPR).

According to InfoSecurity Magazine, Booking.com “suffered a breach in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). After obtaining their login credentials to a Booking.com system, they were able to access the personal details of over 4100 customers who had booked a hotel room in the UAE via the site. Credit card details on 283 customers were also exposed, and in 97 cases the security (CVV) code was compromised.”

According to Forbes, the Netherlands-based company was notified of the breach on January 13, 2019, but did not report the incident to the Dutch Data Protection Authority (AP) until February 7 — 22 days later, even though the GDPR mandates that data breaches must be reported within 72 hours.

"This is a serious violation," said Monique Verdier, the Dutch regulator's vice president in a statement announcing the fine. "A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.

“Booking.com customers ran the risk of being robbed here, Verdier added. “Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing.”

Booking.com has said it will not appeal the fine.

A Booking.com spokesperson said: “The Dutch DPA [data protection authority] fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question.”