The Dutch data protection authority, Autoriteit Persoonsgegevens (AP), fined Booking.com B.V. 450,000 euros for violations related to a 2018 breach. The AP alleges the Dutch company did not report a breach involving more than 4.100 customers until 22 days after the reservation service provider was made aware of the incident. The delay fell outside of the 72-hour breach notification requirement.
In December 2018, the criminals gained access to the data of 4,109 people who had booked a hotel room in that country via the booking site. This included their names, addresses and telephone numbers and details about their booking.
The criminals also accessed the credit card details of 283 people. Including the security code of the credit card in 97 cases. In addition, they tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.
AP Vice President Monique Verdier said breaches can "happen anywhere" despite "good precautions," however, she added that "you have to report this in time" to protect customers.
Learning 1: the bar for a high risk to victims (and therefore notification) is low
Noteworthy, the Dutch supervisor considers the bar for reporting a data breach easily reached, a name, contact data and some additional information being enough, as “the scammers used that data for phishing. That can be very credible if such a scammer knows exactly when you booked which room.”
Learning 2: speed is of the essence, the AP wants to be in control to protect victims
An early but incomplete notification beats a late one, it seems. Even if you’re taking immediate action to resolve the incident like Booking did, and are unsure if an incident constitutes a data breach, always always report it to the authority: "speed is very important. In the first place for the victims of a breach. After such a report, the AP can, among other things, order a company to immediately warn affected customers. To prevent criminals from having weeks to continue trying to fraud customers, for example. "
Learning 3: the AP is ‘sounding the alarm’ on data breaches, as its capabilities to investigate them increase
The fine for Booking.com is one in a line of several. Most fines by the AP having to do with data breaches and lacking technical and organisational measures leading to them. However, due to a shortage of personnel and budget at the AP, data breaches receive little follow-up: of the 27,000 data breaches in 2019, only 0.3% lead to an investigation. In 2020, the AP noted an explosive increase in the number of hacks aimed at the theft of personal data. The number of reports increased by no less than 30% in 2020 compared to 2019. With the promise of a massive increase in budget (3,4m euro), it is expected the focus on breaches and security will increase.