This article has been published previously in this website.
The Dutch Data Protection Authority (AP) has imposed a fine of over £400,000 on Booking.com for reporting a security incident twenty-two days after discovering it, instead of the mandated 72 hours.
The security breach suffered by Booking.com took place in 2018 and compromised the sensitive personal information of more than 4,000 customers. The compromised data included names, addresses, phone numbers, and booking details. Around 300 customers had their financial details like credit card numbers and CVV compromised as well.
The breach took place when cyber criminals called up around 40 hotels in the United Arab Emirates and convinced the hotel staff to give out the login details of customers’ Booking.com accounts. These criminals then contacted the victims over the phone and emails by pretending to be Booking.com employees and tried to extract further information and credit card details.
Booking.com learned about the breach of customer records on 13 January 2019. However, it informed De Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) about the incident on February 7, twenty-two days post the discovery. According to the law, a company needs to inform any security incident to the Data Protection Authority within 72 hours of learning about the incident.
“This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time,” said Monique Verdier, vice president of the Dutch DPA.
“That speed is very important. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. To prevent criminals from having weeks to continue trying to defraud customers, for example.”
When contacted by SecurityWeek, Booking.com said it was fined for the delay in reporting the breach and the penalty was not a reflection of its security practices or its handling of the incident.
- Transferencias internacionales de datos personales: retos y aspectos clave
- Fuerza mayor en contratos SaaS: cómo proteger tu empresa ante caídas y ciberataques
- Acceso a instalaciones mediante control biométrico: identificación vs autenticación
- Pacto de socios en startups tecnológicas: manual de supervivencia para fundadores
- Autoridad Independiente de Protección al Informante (AIPI) en España: qué es y cómo funciona
- El derecho al olvido en el caso de Cecilia Sopeña
- Drones y protección de datos: claves de la guía de la AEPD
- Protección de marcas renombradas en el sector tecnológico: el “efecto extraclase”
- El mal uso de la Inteligencia Artificial en la empresa: consecuencias técnicas, legales y comerciales
- Protección de datos en cámaras de garaje: lo que debes saber antes de instalarlas
- Protección de datos en mirillas electrónicas: un caso resuelto por el Supremo
- Protección de datos en el caso Ter Stegen y el FC Barcelona
- Carteles en comunidades de propietarios y derecho al honor: sentencia del Supremo 1186/2024
- Los principios o «reglas de oro» de la protección de datos
- La AEPD recuerda que ya puede actuar ante sistemas de IA
