Booking.com has been penalised and fined to the tune of €475,000 ($560,000) after being found guilty of failing to report a data breach within the time period set down by the European Union’s General Data Protection Regulation (GDPR).
The GDPR breach took place during 2018 in the United Arab Emirates (UAE) when telephone scammers targeted 40 employees at different hotels. The scammers gained login details to the the Booking.com database and accessed the personal details of more than 4,100 customers of the online travel booking system.
Credit card details on 283 customers were also exposed, and in 97 cases the CVV code was also compromised. In 97 cases the CVV code was also compromised. The hackers also attempted to obtain the credit card details of other victims. The hackers also tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone. Due to the breach Booking.com users were in dangers of having their data used for phishing.
The main office for the company, which is in the Netherlands, was made aware of the GDPR violation on 13 January 2019 but did not submit a report of it to the Dutch Data Protection Authority until February 7, some 22 days later. This was even though GDPR legislation states that data breaches must be reported inside of 72 hours of the company becoming aware of them.
Monique Verdier, VP of the Dutch Data Protection Authority (AP) said: “Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing. By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room, and asks if you want to pay for those nights. The damage can then be considerable.”