The hotel booking firm Booking.Com has been fined €475,000 for failing to report a data breach to the authorities for 22 days

Criminals stole the personal data of 4,000 customers and obtained the credit card details of 283, the Dutch Data Protection Authority (AP) said.

Booking.com was notified of the breach on 13 January 2019, but did not report it until 7 February, breaching the data breach notification obligation to notify AP within 72 hours. Affected customers were informed on 4 February.

Monique Verdier, Vice President, AP, described the failure to notify as a “serious violation”.

She said: “A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you have to report this in time.

‘That speed is very important, in the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers, to prevent criminals from having weeks to continue trying to defraud customers, for example. ’

Criminals extracted login credentials to customer accounts in a Booking.com system from employees of 40 hotels in the United Arab Emirates by telephone.

In December 2018, the criminals gained access to the data of 4,109 people who had booked a hotel room in that country via the booking site. This included their names, addresses and telephone numbers and details about their booking.

The criminals also saw the credit card details of 283 people. Including the security code of the credit card in 97 cases.

‘Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking. The scammers used that data for phishing. ’

’By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room. And asks if you want to pay for those nights. The damage can then be considerable,” said Verdier.

Booking.com will not object or appeal against the fine, the AP said.

A Booking.com spokesperson pointed out the fine was specifically for late notification and is not connected to the website’s security practices.

She said: ”A small number of hotels inadvertently provided their Booking.com account login details to online scammers, but there was no compromise of the code or databases that power the Booking.com platform. 

”After receiving the first reports of suspicious activity, we began working to understand and resolve the issue, but unfortunately didn’t get the matter escalated as fast as we would have liked internally. 

”We have since taken additional steps to improve awareness and education amongst our partners and employees on important privacy measures and general security processes, while also working to further optimize the speed and efficiency of our internal reporting channels.”

Register to receive the latest data protection and privacy news and analysis straight to your inbox