Netherlands’ DPA fines Booking.com €475,000



The Netherlands’ Data Protection Authority has imposed a €475,000 fine on Booking.com for delays in reporting a data breach to the DPA. The breach involved personal data of over 4,000 customers, and credit card information of nearly 300 people was exposed. In 97 cases, the criminals obtained the cards’ PIN codes as well.

The breach occurred as a result of a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018. The criminals persuaded hotel staff to reveal the log-in details for customer accounts in a Booking.com system. Booking.com reported the breach 22 days too late; a clear breach of the 72-hour time limit.

‘Booking.com customers ran a risk of falling victim to serious theft,’ says DPA deputy chair, Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for phishing expeditions.’

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

The Netherlands DPA, cooperating with other EU DPAs, was the lead authority in this case, as Booking.com’s global headquarters are in the Netherlands.

See the summary of this case, published by the EDPB on 9 April.