Booking.com's GDPR Fine Should Serve as 'Wake-Up Call'Dutch Authorities Found Company Waited Over 20 Days to Issue Breach Notification
The 475,000 euro ($560,000) fine levied this week against hotel booking site Booking.com by Dutch privacy authorities should serve as a "wake-up call" for other companies when it comes to following the rules of the EU's General Data Protection Regulation laws, some experts say.
On Wednesday, the Dutch Data Protection Authority announced the fine against Booking.com, which is headquartered in Amsterdam. The Dutch Data Protection Authority, also known as AP, is the independent data protection authority for the Netherlands and is charged with investigating breaches and enforcing GDPR rules.
Through its investigation, the authority found that during a security breach in December 2018, unknown attackers stole the credentials of employees who worked at 40 separate hotels in the United Arab Emirates through the Booking.com site.
The attackers then used those stolen credentials to access the personally identifiable information of more than 4,000 customers who booked hotels in the UAE through the Booking.com site, Dutch authorities say. The fraudsters were also able to access the payment card data of more than 280 victims, as well as the security codes of nearly 100 cards.
While the incident itself was troubling, the Dutch Data Protection Authority called out Booking.com for its response to the breach. The company, according to the report, first found out about the security lapse on Jan. 13, 2019, but waited until Feb. 7 of that year to alert authorities.
Under GDPR rules, organizations must report a breach within 72 hours of its occurrence. By the time Booking.com notified the Dutch Data Protection Authority, more than 20 days had elapsed.
Monique Verdier, the vice president of the Dutch privacy watchdog, noted in the report that the delay in reporting the incident could have put additional customers at risk and showed a disregard for their data.
"That speed is very important for the victims of a leak," Verdier said. "After such a report, the AP can, among other things, order a company to immediately warn affected customers. In this way, for example, to prevent criminals from having weeks to continue trying to defraud customers."
A spokesman for the company says: "It is important to note that the Dutch DPA fine relates specifically to a late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question. In fact, the DPA report acknowledges Booking.com’s transparent and open handling of this incident, including how we subsequently supported affected customers and partners, which has led them to actually reduce the standard amount of the fine by 50,000 euro."
Several experts say the fine levied against Booking.com should be a wake-up call for other companies about adhering to the privacy and notification rules established under GDPR.
Dirk Schrader, who is based in Germany and is the global vice president of security research firm New Net Technologies, says organizations typically fail to report incidents when they are unable to detect any malicious activities or when they are unable to control changes on their systems, but this cannot serve as an excuse under the GDPR guidelines.
Schrader says the delays in disclosure widen the attack surface for the companies, which then limits the options consumers and authorities have to prepare for or prevent theft and fraud. This means the organizations should improve their GDPR compliance by embedding control and visibility into their systems.
"This would also be fundamental for any digitalization project and its overall cyber resilience," Schrader says.
Chris Strand, chief compliance officer at security intelligence company IntSights, notes that, even when companies have been fined for delayed breach disclosures, these firms could face further actions depending on the nature of the exposed data based on the post-breach audit results.
"The post-breach investigation measures will include identifying threat intelligence on the stolen records and will allow auditors to determine if the data in question contained personal identifying information that would point to a violation of the GDPR," Strand says. "Missing the 72-hour window to report a data breach will come into play for GDPR as well, as it's a requirement."
Ireland's Data Protection Commission fined Twitter 450,000 euros ($547,000) for failing to report and document a data breach within 72 hours, as required under GDPR. The breach occurred in 2018 after a bug in Twitter's Android app inappropriately exposed protected messages from 88,000 users, the commission found (see: Twitter Fined $547,000 Under GDPR for 2018 Data Breach).
In 2018, the Dutch Data Protection Authority fined Uber B.V. and Uber Technologies Inc. for violating the data breach notification obligation. The incident, which occurred in 2016, compromised the personal data of 57 million Uber users, including such data as names, email addresses and telephone numbers of customers and drivers.