The Netherlands Data Protection Authority has fined Booking.com €475,000 for notifying it too late that criminals had accessed the data of 4,109 people who booked a hotel room via the website.
The Autoriteit Persoonsgegevens (AP) said criminals managed to extract the login credentials to their Booking.com accounts from employees of 40 hotels in the United Arab Emirates using social engineering techniques.
They then gained access to data including users' names, addresses, telephone numbers, and details about their booking. It added (translated from the Dutch):
The criminals also [accessed] the credit card details of 283 people – including the security code of the credit card in 97 cases. In addition, they tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.
Booking.com told The Register there had been no incursion into its "internal systems (neither the code or databases that power the Booking.com platform were compromised)," adding that the incident was "isolated to 40 hotels in the UAE where partners provided the log-in details to their Booking.com accounts to online criminals."
Specifically, according a report from AP [PDF, translated]: "An unknown third party gained access to the Booking[.com] Extranet, where Trip Providers ... log in to [obtain] necessary reservation details of the guests."
The watchdog added that the data that was kept in the Extranet included first names, last names, addresses, telephone numbers, check-in and check-out dates, total price, reservation numbers, any correspondence between the hotel and the guests and - for 283 parties - their payment card details. Ninety-seven of these included the card verification code.
The Dutch firm was handed a €475,000 fine for late notification. The AP said the company had been notified of the data leak on 13 January, 2019, but had not reported this to the watchdog until 7 February, noting: "That is 22 days late."
Under article 33 of the European General Data Protection Regulation, companies are mandated to report a "data breach" within 72 hours.
Dutch government: Did we say 10 'high data protection risks' in Google Workspace block adoption? Make that 8READ MORE
The affected customers themselves were told on 4 February 2019 – which was still 22 days after the leak. However, the watchdog added [PDF], Booking did take other measures to limit the damage, including an offer to compensate any customers who were out of pocket.
Booking told The Reg in a statement: "All affected customers were notified in February 2019 and subsequently fully supported, including with claiming chargebacks where necessary from their financial institutions."
Of the delay, it said: "We unfortunately didn't get the matter escalated as fast as we would have liked internally. However, we have since implemented measures to further improve awareness and education amongst our partners and the employees who support them closely, with an aim of further optimizing the speed and efficiency of our internal reporting channels, which is an ongoing and iterative process."
AP vice president Monique Verdier said of the fine: "Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone's name, contact details and information about his or her hotel booking... the scammers [then] used that data for phishing."
"This is a serious violation," she added.
While not on the scale of the 2018 Starwood Hotels megaleak, in which 339 million people's data was stolen from the hotel chain and Marriott was fined £18.4m (without accepting liability), it is nonetheless notable because a fine for late notification (article 33) is quite rare. Companies are afforded protections from fines if, for example, they provide a reasonable explanation for the delay.
Twitter fined for keeping quiet about protected account bug
Since the AP's decision in December, which was only made public yesterday, just three other firms have been fined under article 33. One of these was Twitter [PDF], which was fined €450,000 ($500,000) by Ireland for late notification of a bug which meant "that if a Twitter user with a protected account, using Twitter for Android, changed their email address the bug would result in their account being unprotected."
Twitter was told of the bug via its bug bounty programme on 26 December 2018, only notifying Ireland's Commission on 8 January 2019. It confirmed to the Irish data protector that the bug had affected 88,726 EU and EEA users who had a protected account and "rendered their previously protected Tweets (Tweets viewable by only approved followers of the account) public and viewable to anyone."
Booking is headquartered in Amsterdam, hence the ruling from the Dutch data protection authority. However, the AP said it had cooperated with other Euro privacy regulators in an "international investigation."
It has not been a great year for the accommodation bookings firm, which is an indirect subsidiary of the NASDAQ-listed Booking Holdings Inc. It reported revenues [PDF] of just $6.796bn in fiscal 2020, down from $15.1bn the year before, and net income of $59m, down from $4.9bn in fiscal 2019. ®