Booking.com fined €475,000 for late reporting of data breach

Travel firm delayed reporting the breach by 22 days, exceeding the 72-hour limit

Online travel agency Booking.com has been fined €475,000 for a delay in reporting a 2018 data breach.

In the breach, more than 4,000 Booking.com customers had their names, addresses, phone numbers and booking details accessed by cyber criminals. 300 people also had credit card information stolen, including the CVV code in almost 100 cases.

The perpetrators phoned staff in 40 hotels in the United Arab Emirates and persuaded them to hand over login details of customers' Booking.com accounts. They later contacted the victims by phone and email pretending to be Booking.com staff in an effort to extract further information and credit card details.

Amsterdam-headquartered Booking.com was notified of the data breach on 13 January 2019, but failed to report it to the regulator until 22 days later on February 7, contravening the GDPR which mandates a 72-hour notification period.

"Booking.com customers ran the risk of being robbed here," said Monique Verdier, AP vice president of the Dutch Data Protection Authority (AP), according to Eureporter.

"Even if the criminals did not steal credit card information but only someone's name, contact details and information about his or her hotel booking. The scammers used that data for phishing.

"By pretending to belong to the hotel by phone or email, they tried to take money from people. That can be very credible if such a scammer knows exactly when you booked which room. And asks if you want to pay for those nights. The damage can then be considerable."

Booking.com told Security Week the fine did not concern its security practices, just the late reporting of the breach.

"A small number of hotels inadvertently provided their Booking.com account login details to online scammers, but there was no compromise of the code or databases that power the Booking.com platform," a spokesperson said.

Hotels continue to offer rich pickings for cyber criminals. Hotel chain Marriott reported a breach in 2018 by the Magecart gang in the names, addresses, passport numbers and contact details of up to 300 million customers were stolen from its Starwood Hotels reservation system, for which it was found to be at fault because of lax security procedures.

However, In its final penalty notice, the UK watchdog the ICO announced that, in view of the pandemic, Marriott would be required to pay just £18.4 million, a huge drop from the £99 million figure it had originally proposed in 2019.

Commenting on the Booking.com fine, Ilia Kolochenko, founder and chief architect of ImmuniWeb, said: "The fine seems to be severe given that sensitive data of just 300 people was compromised among 4,000 victims that were somehow affected. The Dutch DPA exercised its discretion to impose fines under Article 83 of GDPR in a broad manner, and it seems to be an unambiguous signal of zero tolerance for late data breach reports.

"It's unclear whether [Booking.com] will appeal the sanction as disproportionally harsh in light of the unprecedented lenience towards Marriott and BA by the UK regulator. The European Data Protection Board will probably intervene and bring more clarity on this specific misconduct in terms of gravity and subsequent punishability. In any case, this precedent evidences that victims of data breaches are to rigorously follow Article 33 of the GDPR and notify the competent DPA within 72 hours as prescribed."