This article has been published previously in this website.
The Dutch Data Protection Authority (AP) has imposed a fine of over £400,000 on Booking.com for reporting a security incident twenty-two days after discovering it, instead of the mandated 72 hours.
The security breach suffered by Booking.com took place in 2018 and compromised the sensitive personal information of more than 4,000 customers. The compromised data included names, addresses, phone numbers, and booking details. Around 300 customers had their financial details like credit card numbers and CVV compromised as well.
The breach took place when cyber criminals called up around 40 hotels in the United Arab Emirates and convinced the hotel staff to give out the login details of customers’ Booking.com accounts. These criminals then contacted the victims over the phone and emails by pretending to be Booking.com employees and tried to extract further information and credit card details.
Booking.com learned about the breach of customer records on 13 January 2019. However, it informed De Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) about the incident on February 7, twenty-two days post the discovery. According to the law, a company needs to inform any security incident to the Data Protection Authority within 72 hours of learning about the incident.
“This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time,” said Monique Verdier, vice president of the Dutch DPA.
“That speed is very important. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. To prevent criminals from having weeks to continue trying to defraud customers, for example.”
When contacted by SecurityWeek, Booking.com said it was fined for the delay in reporting the breach and the penalty was not a reflection of its security practices or its handling of the incident.
- Reflexión sobre el incidente de Amazon Web Services
- Joint Venture tecnológica en España: claves legales para compartir IP y beneficios
- Cómo las brechas de datos afectan a marcas como Mango y a sus clientes
- Marketing digital y protección de datos en España: errores comunes
- Meta es demandada por el uso indebido de datos biométricos
- Comunicación responsable SII, ¿cuándo comienza el plazo?
- Decisiones automatizadas y sesgos algorítmicos: responsabilidad legal de las empresas en España
- Privacidad digital: ¿es posible en un mundo hiperconectado?
- Aceptación de cookies, cookie wall y pago como alternativa: qué permite la AEPD
- ¿Cómo sé que mi empresa es un sujeto obligado de la Ley 10/2010?
- Protección de los menores en Internet: claves para garantizar sus derechos
- Contratos de outsourcing tecnológico: puntos críticos legales en España
- Transferencias internacionales de datos personales: retos y aspectos clave
- Fuerza mayor en contratos SaaS: cómo proteger tu empresa ante caídas y ciberataques
- Acceso a instalaciones mediante control biométrico: identificación vs autenticación