Fine Booking.com for late reporting of data breach

Reason

Booking.com has been fined € 475,000 by the Dutch Data Protection Authority (DDPA) for reporting a data breach too late. Booking.com reported the data breach 22 days late. This concerned data of more than 4,000 persons, including credit card details of nearly 300 persons.

Booking.com reported the data breach on February 7, 2019. Because Booking.com indicated in the notification form that the breach was discovered on January 10, 2019, the AP started an investigation into Booking.com’s compliance with Article 33, first paragraph, of the GDPR.

What happened?

An unknown third party had gained access to a Booking.com reservation system by posing as a Booking.com employee at multiple properties in the United Arab Emirates. The personal data of several data subjects who had made hotel reservations via the Booking.com platform were compromised. Booking.com notified affected customers of the data breach on February 4, 2019. In addition, the company took other measures to limit the damage, such as the offer to compensate for any damage.

In its view, Booking.com has primarily taken the position that there is no violation. On February 4, 2019, after the completion of the internal investigation, there was knowledge of the infringement, after which it was reported to the regulator in a timely manner and without unreasonable delay within 72 hours of becoming aware, according to Booking.com. The DDPAthinks differently about this. Much earlier, immediate action could have been expected from Booking.com. A Booking.com employee was informed several times from the beginning of January about suspicious emails to hotel guests. Instead of taking immediate action, Booking.com has been idle, resulting in a (very) unreasonably delayed report to the DDPA.

In addition, the DDPA regrets that Booking.com has consciously chosen to first conduct a thorough investigation instead of reporting the incident to the regulator in stages. This is not in line with the regulation as laid down in the GDPR, according to e DDPA.

Booking.com has not objected to the fine decision of December 10, 2020.

Current affairs data protection and privacy

We deal with this decision of the regulator and data breach in the module ‘current affairs data protection and privacy’. After registration you will have direct access to the module in our learning environment. Here you can register for a workshop of your choice.

More information and registration, click here.