Dutch DPA fines Booking.com for delay in reporting data breach

9 April 2021 Netherlands

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people.

In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking. 

The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone. 

Phishing
‘Booking.com customers ran a risk of falling victim to serious theft,’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions. 

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

Breach reported 22 days too late
Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time. 

‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’

Huge responsibility
According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’ 

Booking.com will not lodge an objection to or apply for review of the decision imposing the fine.

International investigation
The investigation into the Booking.com breach was international in scope. The situation involved an international company with customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.

Obligation to report data breaches
The obligation to report data breaches means that both companies and public authorities must immediately (and in any case within 72 hours) inform the DPA if they suffer a serious data breach. In certain cases they must also inform the individuals whose personal data was leaked. Data breaches must be reported to the DPA’s Data breach helpdesk.

Explosive increase in data theft
In 2020 the DPA warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data. The number of reports in 2020 was 30% higher than in the previous year. This can be seen in the DPA’s 2020 Report on Data Breaches. Data theft can often be prevented by enhanced security.
 

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.