Dutch regulator fines Booking.com with 475,000 euros for reporting late violations
On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch Data Protection Authority”) announced a fine of € 475,000 for the Dutch online travel agency Booking.com for not reporting a data breach within 72 hours of becoming aware of the incident Year 2019.
The breach involved unauthorized access to credentials, allowing criminals to access the personal information of more than 4,000 customers. The compromised details included names, addresses, phone numbers, and approximately 300 credit card numbers.
In a statement (in Dutch), the Dutch Data Protection Authority noted that Booking.com was informed of the breach on January 13, 2019, but the incident was not reported until February 7, 2019, about 22 days later and well outside the 72-hour Deadline, the time frame reported to the supervisory authority in accordance with Article 33 of the GDPR. Booking.com notified affected customers on February 4, 2019. Regulators found that Booking.com had taken (unspecified) steps to limit damage to customers and offered to compensate them for damage suffered. The statement from the Dutch Data Protection Authority does not explain the reason for the late reporting from Booking.com, but it does state that Booking.com will not object to the fine or appeal.
“This is a serious breach,” said Monique Verdier, Vice President of the Dutch Data Protection Agency. “Unfortunately, a data breach can happen anywhere, even if you take good precautions. However, in order to avoid damage to your customer and the repetition of such a data breach, you must report this in good time. This speed is very important. . . . Such a large company with valuable personal information from millions of customers in its systems has a huge responsibility. Customers entrust their personal data to Booking.com. And they have to do everything possible to properly protect the data. That means good security to prevent a leak, but also quick action if something goes unexpectedly wrong. “