This article has been published previously in this website.
The Dutch Data Protection Authority (AP) has imposed a fine of over £400,000 on Booking.com for reporting a security incident twenty-two days after discovering it, instead of the mandated 72 hours.
The security breach suffered by Booking.com took place in 2018 and compromised the sensitive personal information of more than 4,000 customers. The compromised data included names, addresses, phone numbers, and booking details. Around 300 customers had their financial details like credit card numbers and CVV compromised as well.
The breach took place when cyber criminals called up around 40 hotels in the United Arab Emirates and convinced the hotel staff to give out the login details of customers’ Booking.com accounts. These criminals then contacted the victims over the phone and emails by pretending to be Booking.com employees and tried to extract further information and credit card details.
Booking.com learned about the breach of customer records on 13 January 2019. However, it informed De Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) about the incident on February 7, twenty-two days post the discovery. According to the law, a company needs to inform any security incident to the Data Protection Authority within 72 hours of learning about the incident.
“This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time,” said Monique Verdier, vice president of the Dutch DPA.
“That speed is very important. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. To prevent criminals from having weeks to continue trying to defraud customers, for example.”
When contacted by SecurityWeek, Booking.com said it was fined for the delay in reporting the breach and the penalty was not a reflection of its security practices or its handling of the incident.
- La APDCAT avala la instalación de cámaras de videovigilancia en los taxis
- Novedades respecto a las directrices de verificación de edad
- Multa de 10.000 euros de la AEPD por incumplimiento del RGPD
- Nuevo Plan de acción en materia de Responsabilidad Social de la AEPD
- Nuevas obligaciones laborales para empresas: medidas para la igualdad LGTBI
- La AEPD participa en una acción europea para analizar la aplicación del derecho de acceso
- ENISA detalla las últimas novedades sobre el ciberseguro
- Actualización en las Normas ISO 27001, ISO 37001 e ISO 37301
- Nueva campaña del INCIBE trata de frenar el acceso de menores a contenidos perjudiciales en Internet
- La Comisión Europea adopta el primer régimen europeo de certificación de ciberseguridad
- El TS impone límites en la inclusión de datos personales en los ficheros públicos de riesgos de crédito
- Análisis del Índice de Percepción de la Corrupción de 2023
- Balance anual de la AEPD: más de 16 millones de euros en multas
- Resultados de la acción europea que ha analizado la designación y situación de los delegados de protección de datos
- Autoridades independientes de protección al informante en España a enero de 2024