The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of EUR 475 000 applied by Dutch Data Protection Authority (DPA) to Booking.com for delay in reporting data breach.
In a telephone scam targeting 40 hotels in the United Arab Emirates (UAE) in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way, the criminals gained access to the data of 4 109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking.
Furthermore, the criminals were able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone.
Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. The investigation into the Booking.com breach was international in scope, targeting customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation, this being coordinated with other European data protection supervisory authorities.
Dutch Data Protection Authority warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data, which in 2020 was 30% higher than in the previous year.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.