Booking.com fined $557K under GDPR for reporting data breach late

The fine, announced Wednesday, is the Netherlands’ eighth under the GDPR so far. It surpasses Ireland’s €450,000 sanction against Twitter for similarly failing to report on time a data breach.

In December 2018, cyber-criminals obtained the personal data of some 4,109 customers—including the credit card details of 283—by scamming employees based in some 40 hotels in the United Arab Emirates to hand over their Booking.com account login credentials.

The hackers used the Booking.com platform to obtain customers’ personal and payment card information and also attempted to phish the card information of others by posing as Booking.com employees over the phone or via e-mail. The criminals managed to obtain the security codes of 97 credit cards, according to the Dutch Data Protection Authority (DPA).

The company, which is based in the Netherlands, learned of the breach on Jan. 13, 2019, but only notified the regulator on Feb. 7, 2019—three days after it notified customers.

In a translated statement, Dutch DPA Vice President Monique Verdier said: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you have to report this in time.”

Booking.com has said it will not appeal the fine.

In an e-mailed statement, the company said: “The Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question.”

The company apologized for the lag between receiving the first reports of suspicious activity and escalating the matter internally. It added it has since taken additional steps to improve awareness and education among partners and employees on privacy measures and general security processes and has improved its internal reporting channels.