The Dutch data protection authority fined Booking.com hotel booking service for 475 thousand euros (approximately $ 560 thousand) for untimely notification of the regulator about the leak of confidential information, reports The Record.
According to a ruling from Dutch officials (Booking.com is registered in that country), the fine was imposed as a result of the theft of confidential information at the end of 2018. Hackers gained access to Booking.com credentials for employees of 40 hotels in the United Arab Emirates. Attackers were able to steal personal data of 4109 people who booked rooms.
During the attack, the hackers were able to view not only personal data, but also payment card data of 293 customers, including 97 CVV codes. Subsequently, many people began to receive fraudulent calls from unknown persons who tried to find out additional payment information.
Booking.com learned about the incident on January 13, 2019, but notified the authorities about it only on February 7 of the same year, that is, 22 days after the expiration of the three-day period prescribed in the GDPR.
“This is a serious violation,” said Monique Verdier, vice president of data protection in the Netherlands. – Unfortunately, data breaches can happen anywhere, even if you have taken all precautions. But in order to prevent harm to your customers and prevent repeated violations of this kind, you must report the incident in time. “
Booking.com stressed that they notified the affected customers on February 4, 2019, even earlier than the Dutch regulator. At the same time, the company admits its guilt and will not dispute the fine.