Hit With €475,000 GDPR Fine For Late Reporting Of Data Breach

Travel booking website has been hit with a €475,000 ($560,000) fine after failing to report a data breach within the time period mandated by the General Data Protection Regulation (GDPR).

The Netherlands-based company, which provides accommodation and flights, suffered the breach back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). After hackers obtained login creations for the system, they were able to access the personal details of over 4100 customers who had booked a hotel room in the UAE via the site.

Credit card details on 283 customers were also exposed, and in 97 cases the CVV code was also compromised. The hackers also tried to obtain the credit card details of other victims by posing as an employee of by email or telephone. discovered the breach on January 13, 2019, but failed to report the incident to regulators until February 7, 2019. GDPR rules mandate that all breaches should be reported within 72 hours of discovery. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or ‘AP’) imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation. AP vice president Monique Verdier said in a statement: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions. “But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”


4 Blog posts