A quote this week on www.nos.nl from Dennis Davrados, data breach coordinator at the Dutch Data Protection Authority (AP): ‘Sometimes companies think that the stolen data can’t do much harm, but sometimes they simply don’t report it because they are afraid of damage to their image.’
As soon as it does come out – and of course it does – the AP can take action. Most companies receive a warning from the AP, but the AP can also impose a fine and sometimes even exercise increased supervision for a long period of time.
Booking.com can attest to this.
Booking.com fine in 2021
In March 2021, the AP imposed a fine of €475,000 on Booking.com for reporting a data breach to the AP too late. The breach involved the personal data of thousands of customers, including credit card details.
Data breach in 2018
Cybercriminals were able to obtain login details for accounts in a Booking.com system from employees of 40 hotels in the United Arab Emirates by telephone. This gave them access to the personal data of 4,109 people who had booked a hotel room in that country through Booking.com. This included names, addresses, telephone numbers and details about their bookings. The cybercriminals also gained access to the credit card details of 283 people and, in 97 cases, even the credit card security code. In order to obtain even more credit card details, the cybercriminals posed as Booking.com employees by email or telephone. Since the cybercriminals had stolen the names and contact details of the victims, the victims were at risk of being robbed. By posing as hotel employees by telephone or email, the cybercriminals attempted to steal money from their victims. As AP Vice-Chair Monique Verdier pointed out, it can seem very credible when such a scammer knows exactly when you booked which room and asks you to pay for those nights.
Data breach reported too late
Booking.com discovered the breach in January 2019 but reported it to the AP 22 days too late. The GDPR (General Data Protection Regulation) stipulates that a data breach must be reported to the AP within 72 hours (after it has been brought to their attention). In addition, in some cases, a data breach must also be reported to the affected customers.
In 2022, several data breaches were again not reported in a timely manner. As a result of all these violations, combined with the fine, the AP decided to impose stricter supervision on Booking.com.
One year of increased supervision by the AP
For one year, the AP monitored whether Booking.com complied with the rules on reporting data breaches.
In this way, the AP wanted to ensure that Booking.com would report data breaches in a timely manner, both to the AP and to the victims. Booking.com had to report on measures to prevent future incidents during 2023. The AP also checked whether Booking.com had unjustifiably failed to report certain incidents. During the period of increased supervision, Booking.com was found to have reported all incidents that it was required to report.
Multiple fraud cases reported
During the period of enhanced supervision, Booking.com reported several cyber attacks. In 2023, cybercriminals again succeeded in hacking the accounts of accommodations on Booking.com and defrauding guests from the compromised accounts. To do this, they contacted guests via Booking.com’s messaging system and asked them to pay for their hotel room because something had gone wrong with the previous payment. Because the platform’s messaging system was used, the messages appeared authentic and many guests paid again.
Great responsibility
Booking.com processes a lot of sensitive data, including payment details of their customers. It is very important that this data is properly protected by Booking.com. However, this applies not only to Booking.com, but to any company that processes personal data.
This case once again highlights how important it is for companies to act efficiently and legally correctly in the event of a data breach. Unfortunately, a data breach can never be ruled out, but it is very important to take proper precautions and report any data breach in a timely manner. This will minimise the damage to the individuals whose personal data has been affected by a data breach and prevent a fine or measures being imposed by the AP.
This article was written by Kim Deckers. Would you like to know more about how to deal with data breaches in general as an organisation? Then read (again) her previous article with a step-by-step plan for data breaches or call (043 328 4162) or email her (k.deckers@paulussen.nl).
You can of course also do this if you have any other questions regarding this article.
Nieuws Overzicht