Booking.com fined EUR 475,000 for late reporting of data breach
Hotel booking site Booking.com got hit with a €475,000 fine for being late to report a data breach, the company’s lead EU privacy regulator announced Wednesday. booking.com fined
The fine, imposed by the Dutch data protection authority because the company is legally established in Amsterdam, came after criminals stole the personal data of more than 4,000 Booking.com customers — obtaining the credit card details of nearly 300 victims.
The website received the penalty for missing a 72-hour deadline to report the breach to the regulator, which it did on February 4, 2019 — almost a month after it suffered the breach.
“This is a serious violation,” said Monique Verdier, the Dutch regulator’s vice president in a statement announcing the fine. “A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
The fine is the Dutch regulator’s eighth under the EU’s 2018 data protection code, the General Data Protection Regulation, though it has suffered setbacks in court.
Booking.com admits guilt, doesn’t dispute fine booking.com fined
Reached out for comment, a Booking.com spokesperson admitted to the company’s failure.
“We appreciate the open communication with the Dutch DPA on this matter and the increased clarity this decision brings for Booking.com and other companies around the strict and timely notification requirements under GDPR,” the spokesperson told The Record in an email.
But the booking platform also wanted to clarify a few other points.
It is important to note that the Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question. In fact, the DPA report acknowledges Booking.com’s transparent and open handling of this incident, including how we subsequently supported affected customers and partners, which has led them to actually reduce the standard amount of the fine by €50,000 – Booking.com spokesperson
Booking.com also told The Record that they notified all customers impacted by the December 2018 breach on February 4, 2019, even before notifying the DPA.
Booking.com was fined by Dutch authorities because the company is legally registered in Amsterdam, the Netherlands, and falls under the DPA’s authority.