Introduction
Booking.com has today received a fine of €475,000 from the Dutch Data Protection Regulator, the Autoriteit Persoonsgegevens (AP), for their failure to report a data breach in time.
The case follows a similar case against Twitter in Ireland in December which we wrote about here www.bit.ly/twitterfine2. This note uses some data protection specific terms which are defined at www.bit.ly/gdprwords.
What happened?
According to the AP, Booking.com suffered a cyber-attack where criminals were able to extract log-in credentials from employees of hotels in the United Arab Emirates (UAE) by telephone. The gang used these credentials to take the personal data of more than 4,109 Booking.com customers. They were able to obtain credit card details for 283 individuals including obtaining the CVV code from the credit card in 97 cases.
The attack took place in 2018 and the gang also tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.
Late reporting
According to AP, Booking.com knew of the data breach on 13 January 2019 but did not report it to the AP until 7 February 2019.
Under GDPR, there is an obligation to report to regulators. GDPR Article 33 says that data breaches have to be reported to the relevant regulator “without undue delay” and in most cases not later than 72 hours after becoming aware of the breach. Where the notification to the DPA is not made within 72 hours, it must be accompanied by reasons for the delay.
Booking.com told the victims of the breach on 4 February 2019 and it took measures to limit the damage including offering to compensate those affected. There is an additional requirement in GDPR Article 34 to tell victims. The GDPR Article 34 obligation applies where the breach is likely to result in “a high risk to the rights and freedoms of individuals”. Again the individuals affected have to be told about the breach without undue delay but the 72 hour time limit does not appear here. In practice quick reporting to those affected is usually best – especially if you’re telling individuals because you believe there is a high risk to them.
What did the AP say?
The AP was concerned about all 4,109 data subjects rather than the 283 who had their credit card details compromised. AP’s Vice President, Monique Verdier, said:
“Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking the scammers used that data for phishing. By pretending to belong to the hotel by phone or email, they tried to take money from people … the damage can then be considerable”.
What happens next?
Booking.Com has said that it will not appeal the fine.
The AP said that it dealt with this matter as lead DPA for the EU. There is a possibility that since the case has been decided post-Brexit, the UK Information Commissioner’s Office could launch its own investigation and introduce separate fines if UK data subjects are impacted. For an idea of how GDPR works after Brexit, see www.bit.ly/brexdpfaq
Lessons learned
There are a number of lessons to be learned including:
- Treat security as a top priority – organisations need to have proper technical and organisational measures (TOMs) in place to stop breaches happening. This will include thorough reviews of their relationship with third parties. The fact that a data processor has notified a data controller late is unlikely to be an excuse.
- Do ongoing monitoring and testing to detect vulnerabilities and data breaches – We are handling a large number of incidents at the moment including some very severe and sophisticated attacks. Make sure your information security team have the resources they need and make sure you have cover in place over Easter. Unfortunately attackers work 24x7x365 and your response teams need to do that too. There’s also no exemption to the 72 hour reporting deadline under GDPR for the holiday period. Criminal organisations are putting considerable resources and skill into these attacks. You’ll need to make sure that your defences are fit for purpose, and
- Breaches are inevitable – even the best run organisations will have a data breach. When it happens you need to make sure that you can respond quickly given the tight reporting deadlines in GDPR. Having a proper process (like Cordery’s 4-step plan here https://www.corderycompliance.com/dealing-with-a-breach/) is essential. You need to test that plan too – for example by holding regular data breach simulation exercises to check your regulatory responses (see here https://www.corderycompliance.com/cordery-data-breach-academy-2-2/). Our experience is that organisations who rehearse a breach respond better when they have a breach.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |