Booking.com Find by Dutch AP for Serious Data Breach
Note: We may earn a commission from products or services when you click on a link and make a purchase.
Hotel booking site Booking.com has been fined by the Dutch Data Protection Authority (AP) for failing to disclose a serious breach. The site was hit by a telephone scheme that compromised the sensitive data of over 4000 customers.
Booking Holdings Inc. (NYSE: BKNG) is a global hotel booking site headquartered in the Netherlands has been fined €475,000 by the Dutch AP.
In 2018, scammers targeted hotel employees in a telephone scam to steal login credentials. The employees worked at various hotels in the United Arab Emirates (UAE).
Cybercriminals then used the stolen usernames and passwords to compromise the Booking.com reservation system.
Booking.com was made aware of the attack on 13 January 2019.
SEE ALSO: Marriott Fined £18.4 M for GDPR Privacy Data Breach
The attackers exfiltrated sensitive personal information from 4,100 hotel customers. They also stole payment card numbers from 283 customers along with 97 credit card security codes, according to InfoSecurity.
Notifying customers that their information has been compromised by attackers is still the responsibility Booking.com even though the attack was not their fault.
The European Union’s General Data Protection Regulation (GDPR) requires that a company report an attack to the appropriate agency within 72 hours. Since the company is located in the Netherlands there is an obligation to report to the Dutch Data Protection Authority.
SEE ALSO: What is GDPR?
“Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details and information about his or her hotel booking, the scammers used that data for phishing,” said the VP of the Dutch Data Protection Authority, Monique Verdier.