On Wednesday, the Dutch Data Protection Authority reported that it had fined online travel agency Booking.com €475,000 for failing to disclose a data security incident within the required timeframe.
The fine was imposed by the Dutch data protection authority as the company is legally headquartered in Amsterdam. It came after criminals stole the personal data of over 4,000 Booking.com customers, including over 300 victims' credit card information. The cybercrooks attempted to phish the card information of others by posing as Booking.com employees over the phone.
Booking.com witnessed a similar incident in the past in November 2020, wherein the data of millions of its customers was jeopardized. The investigation revealed that the breach was caused due to Prestige Software which stored customers’ payment details with no protection. Any customer who had booked with the company since 2013 was affected by the breach.
In an official statement, while announcing the fine, VP of Dutch regulator Monique Verdier said: "This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time."
The travel company detected the data breach on January 13, 2019, but did not alert the Data Protection Authority until February 7, although the incident should have been reported within 72 hours, Booking.com notified affected customers on February 4th.
Of the delay, Booking.com said: "We, unfortunately, didn't get the matter escalated as fast as we would have liked internally. However, we have since implemented measures to further improve awareness and education amongst our partners and the employees who support them closely, with an aim of further optimizing the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process."
The company in an emailed statement also stated, “We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels. The protection and security of personal data is and will remain a top priority at Booking.com.”