Booking.com B.V.: Insufficient fulfilment of data breach notification obligations

The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermore, they tried to get other victims' credit card details by pretending to be Booking.com employees via email or phone. Booking.com was notified of the data breach on January 13, 2019, but did not report it to the DPA until February 7, 2019. The controller was thus 22 days late in reporting the data breach, as it is required to report a data breach to the DPA within 72 hours.

GDPR Articles: Art. 33 GDPR
Industry: Accomodation and Hospitality