[BreachExchange] Booking.com Fined $558, 000 for Late Breach Notification

Destry Winant destry at riskbasedsecurity.com
Fri Apr 2 09:56:26 EDT 2021


https://www.infosecurity-magazine.com/news/bookingcom-fined-558k-for-late/

A major hotel bookings site has been fined €475,000 after failing to
report a serious data breach within the time period mandated by the
General Data Protection Regulation (GDPR).

Booking.com suffered the breach back in 2018 when telephone scammers
targeted 40 employees at various hotels in the United Arab Emirates
(UAE).

After obtaining their login credentials to a Booking.com system, they
were able to access the personal details of over 4100 customers who
had booked a hotel room in the UAE via the site. Credit card details
on 283 customers were also exposed, and in 97 cases the security (CVV)
code was compromised.

“Booking.com customers ran the risk of being robbed here. Even if the
criminals did not steal credit card details, but only someone’s name,
contact details and information about his or her hotel booking, the
scammers used that data for phishing,” explained Monique Verdier, VP
of the Dutch Data Protection Authority (AP).

“By pretending to belong to the hotel by phone or email, they tried to
take money from people. This can be very credible if such a scammer
knows exactly when you have booked which room, and asks if you want to
pay for those nights. The damage can then be considerable.”

Although the breach does not appear to have been Booking.com’s fault,
its response was found wanting.

The travel giant, which is headquartered in the Netherlands, was
notified of the incident on January 13 2019, but didn’t report it to
AP until February 7 — 22 days later. The GDPR mandates strict rules to
report within 72 hours.

Verdier argued that this was a serious violation of the trust that
millions of customers place in the platform to keep their details
safe. Online firms’ obligations don’t just extend to best practice
cybersecurity controls, she claimed, but also to reacting quickly if
and when things do go wrong.

“A data breach can unfortunately happen anywhere, even if you have
taken good precautions, but to prevent damage to your customers and
the repetition of such a data breach, you have to report this in
time,” Verdier said.

“That speed is very important: in the first place for the victims of a
leak. After such a report, the AP can, among other things, order a
company to immediately warn affected customers — to prevent criminals
from having weeks to continue trying to defraud customers, for
example.”


More information about the BreachExchange mailing list