Booking.com Data Breach

On 31 March, 2021 by way of press release the Dutch Data Protection Authority known as Autoriteit Persoonsgegevens (commonly referred to as AP) made it common knowledge that they shall be imposing a fine on Booking.com due to reporting a data breach later than the stipulated time limit as provided for in the GDPR. 

For the readers, a data breach is when personal data of individuals such as their financial details, name, address, contact details are leaked or hacked. This data can then be used to cheat the individuals or even blackmail them thereby causing severe financial and emotional distress. 

In order to protect the individuals from this distress, the European Union brought into force the GDPR which we have been discussing in previous articles. 

Coming to the breach, it consisted of criminals stealing the personal information of 4000 customers of Booking.com. They were also successful in obtaining the credit card details of 300 persons. 

Modus Operandi of the criminals

In December 2018, the criminals obtained the login credentials of hotel staff in the UAE and were able to access the Booking.com system. In this manner, they obtained the personal details of customers who had booked hotel rooms through the portal. The personal details included the customers’ names, addresses, contact details and booking details. 

Not only this, the criminals were also able to view the credit card details of 283 people along with the security code of 97 people. 

The criminals did not stop here and also made attempts to secure the credit card details of customers posing as Booking.com staff.

Action taken by Booking.com

On January 13, 2019 Booking.com became aware of this humongous data breach but did not report it to the AP until February 7, 2019. This is a delay of 22 days since as per the GDPR, a serious data breach must be reported within 72 hours. However, Booking.com did inform the affected customers by February 4, 2019 and also tried implementing measures to mitigate the damage. 

But the delay is not permissible as per the GDPR considering the severity of the breach and the brand name associated with the company. 

Action taken by AP

After conducting an international investigation due to the multinational presence of the company, AP imposed a fine of 475,000 euros on Booking.com. AP has the power and authority to impose the fine considering Booking.com’s headquarters is in the Netherlands. 

The AP mainly imposed this fine attributing it to the delay in reporting the data breach to the reporting authority and also informing the customers late. Booking.com shall not be appealing this decision of the AP.

Conclusion

Like the saying goes, “With great power comes great responsibility”. An international company like Booking.com which collects volumes of data of its customers in order to provide them services must have stringent checks in place to prevent such severe breaches which can endanger the privacy and exacerbate the mental agony of their customers. This also shows that the hotels associated with the company must also be provided extensive training so that they do not fall trap to such scams and end up disclosing very sensitive data of its clients. 

Hopefully, the high penalty imposed shall prove to be a deterrent for any further data breaches and push companies to strengthen their security networks. 

References:

  1. https://www.mondaq.com
  2. https://autoriteitpersoonsgegevens.nl