Online travel agency Booking.com was levied by the Dutch Data Protection Authority with €475,000 in fines (equivalent to $560,000) on March 31, 2021. This ruling follows after the travel agency supposedly failed to report its data breach within 72 hours of being aware of the incident.
The delated breach report violated the time period required by the General Data Protection Regulation (GDPR) which requires companies and businesses to report and disclose their cybersecurity incident within 72 hours after becoming aware of the incident.
Booking.com initially suffered a data breach three years ago back in December of 2018 after a number of scammers took advantage of 40 employees. These employees worked at different hotels in the United Arab Emirates (UAE), notes Forbes.
The employees were targeted by phone scammers and hackers, obtaining their login credentials under Booking.com. The attackers were able to log in within the Booking.com system, after which they were able to access the personal details of more than 4,100 customers who had hotel bookings all over the United Arab Emirates.
Among the data compromised in the incident include customers’ names, addresses, and phone numbers. The credit card details of around 283 people have also been made vulnerable, with 97 of these credit cardholders having their CVV obtained by the hackers as well.
Apart from obtaining the log-in credentials of 40 employees, Naked Security said the Dutch regulator claimed that threat actors also took to calling up hotels and claimed that they were representatives of Booking.com in attempts to extract the personal details of users. However, the regulator is unclear on whether the scam worked.
While the online travel agency suffered the breach back in 2018, Booking.com was only notified early the following year on January 13, 2019. However, Forbes states that the company failed to report the incident to the Dutch Data Protection Agency within 72 hours.
Instead, the travel firm only reported the attack to the Dutch Data Protection Authority 22 days later on February 7, 2019. However, Naked Security reports that the agency first informed affected parties and customers three days prior to notifying the Dutch regulator on February 4, 2019.
Following this, the Dutch regulator’s vice president Monique Verdier said, “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
