INPLP article May 11, 2021
Fine of €475,000 for Booking.com reporting data breach 22 days to late.
According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.
22 days to late
Booking.com was informed of the data breach on 13 January 2019, but did not report the breach to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours where feasible. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.
Risk of falling victim to serious theft
The criminals involved obtained the personal data of over 4,000 customers and credit card information of almost 300 people. By persuading hotel staff to reveal the log-in details for their accounts in a Booking.com system the criminals gained access to the data of 4,109 people who had booked a hotel room. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone.
‘Booking.com customers ran a risk of falling victim to serious theft’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions.’
‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’
‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.’
‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’
According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’
The investigation into the Booking.com breach was international in scope. The situation involved an international company with customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.
Data breaches can occur anywhere, even if you have the necessary precautionary measures in place. Nonetheless, it is essential to report a breach in time to prevent (further) harm to customers. This is also important for a DPA to take the necessary actions. Luckily, the number of reported breaches in the Netherlands is 30 % more in 2020 than in 2019. Notifying the DPA is not necessary in case no harm for customers is to be expected. However, for these cases you have to register the data breach in your internal register for accountability purposes.
In general, it is advisable to notify the DPA within 72 hours, even in the situation you are not 100% sure about the severity of the impact of a data breach for customers. Even more so because of organizational issues, as the Dutch DPA does not have nearly enough personal staff to investigate all reported data breaches. Therefore, it is time and cost efficient for the DPA to at least investigate breaches that are reported to late, as low hanging fruit. Lastly, do not hesitate to promptly notify a DPA, as you can always alter or amend your notification at a later stage.
We should not forget that data breaches could happen to the best of us, how good your precautionary measures may be. However, as the Booking.com breach demonstrates, a timely report of a data breach could prevent serious further economic and reputation damages.