The Netherlands-based company, which provides accommodation and flights, Booking.com suffered the breach back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). After hackers obtained login creations for the Booking.com system, they were able to access the personal details of over 4100 customers who had booked a hotel room in the UAE via the site.
Credit card details on 283 customers were also exposed, and in 97 cases the CVV code was also compromised. The hackers also tried to obtain the credit card details of other victims by posing as an employee of Booking.com by email or telephone.
Booking.com discovered the breach on January 13, 2019, but failed to report the incident to regulators until February 7, 2019. GDPR rules mandate that all breaches should be reported within 72 hours of discovery. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or ‘AP’) imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation. AP vice president Monique Verdier said in a statement: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions. “But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”