Dutch Data Protection Authority (AP) has imposed a fine of €475,000 on Booking.com for a data breach where criminals accessed the personal data of more than 4,000 customers, including obtaining the credit card details of nearly 300 users of the popular travel site.
The criminals extracted login details to the accounts from employees of 40 hotels in the United Arab Emirates.
“Booking.com customers ran the risk of being robbed here,” said Monique Verdier, Vice President of the Dutch data protection agency. “Even if the criminals did not steal credit card information but only someone’s name, contact details and information about his or her hotel booking. The scammers used that data for phishing.”
“By pretending to belong to the hotel by phone or email, they tried to take money from people. That can be very credible if such a scammer knows exactly when you booked which room. And asks if you want to pay for those nights. The damage can then be considerable,” said Verdier.
Booking.com was notified of the data breach on 13 January, but didn’t report it within the mandatory three day period after discovering a breach. Instead, they waited a further 22 days.
“This is a serious violation,” said Verdier. “Unfortunately, a data breach can happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you must report this in time. Speed is very important.”