The Dutch Data Protection Authority (AP) has imposed a fine of over £400,000 on Booking.com for reporting a security incident twenty-two days after discovering it, instead of the mandated 72 hours.
The security breach suffered by Booking.com took place in 2018 and compromised the sensitive personal information of more than 4,000 customers. The compromised data included names, addresses, phone numbers, and booking details. Around 300 customers had their financial details like credit card numbers and CVV compromised as well.
The breach took place when cyber criminals called up around 40 hotels in the United Arab Emirates and convinced the hotel staff to give out the login details of customers' Booking.com accounts. These criminals then contacted the victims over the phone and emails by pretending to be Booking.com employees and tried to extract further information and credit card details.
Booking.com learned about the breach of customer records on 13 January 2019. However, it informed De Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) about the incident on February 7, twenty-two days post the discovery. According to the law, a company needs to inform any security incident to the Data Protection Authority within 72 hours of learning about the incident.
"This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time," said Monique Verdier, vice president of the Dutch DPA.
"That speed is very important. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. To prevent criminals from having weeks to continue trying to defraud customers, for example."
When contacted by SecurityWeek, Booking.com said it was fined for the delay in reporting the breach and the penalty was not a reflection of its security practices or its handling of the incident.
“A small number of hotels inadvertently provided their Booking.com account login details to online scammers, but there was no compromise of the code or databases that power the Booking.com platform. After receiving the first reports of suspicious activity, we began working to understand and resolve the issue but unfortunately didn’t get the matter escalated as fast as we would have liked internally.
“We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels. The protection and security of personal data is and will remain a top priority at Booking.com," the company said.
Commenting on the fine issued to Booking.com, Ilia Kolochenko, founder and Chief Architect of ImmuniWeb, told Teiss that the fine seems to be severe given that sensitive data of just 300 people was compromised among 4,000 victims that were somehow affected.
“The Dutch DPA exercised its discretion to impose fines under Article 83 of GDPR in a broad manner, and it seems to be an unambiguous signal of zero tolerance for late data breach reports. From the Booking.com statement, it’s unclear whether it will appeal the sanction as disproportionally harsh in light of the unprecedented lenience towards Marriott and BA by the UK regulator.
“The European Data Protection Board will probably intervene and bring more clarity on this specific misconduct in terms of gravity and subsequent punishability. In any case, this precedent evidences that victims of data breaches are to rigorously follow Article 33 of the GDPR and notify the competent DPA within 72 hours as prescribed,” he added.