Greetings from Brussels!
The Dutch data protection authority has imposed a fine of 475,000 euros on one of the largest hotel booking platforms — Booking.com — for failing to report a major data breach to the regulator in a timely manner. The fine was imposed by the Dutch DPA as the company’s global headquarters are legally established in Amsterdam. The Netherlands is an important EU jurisdiction in the privacy world serving as a home to several important tech companies, such as Uber and Netflix.
For context, the concerned data breach dates from December 2018, when cybercriminals were able to obtain the login details of employees from 40 hotels in the United Arab Emirates through the deceptive practice of voice phishing, more commonly known as vishing. Having gained access to the company’s internal reservation system, the cybercriminals were then able to access reservation data, including the names, addresses, contact information and booking details of more than 4,100 customers. They also managed to access payment card information, including, in some cases, the credit card security codes. Moreover, the adversaries then attempted to phish the credit card information of other customers by posing as Booking.com employees over the phone or by email.
The online travel company formally learned of the data breach 13 Jan. 2019 but only notified the Dutch DPA the following month on 7 Feb. As per GDPR provisions, the incident should have been notified within 72 hours. Impacted customers were notified by the company 4 Feb.
I spoke with Jeroen Terstegge, IAPP country leader for the Netherlands, to get his view on the enforcement ruling. One of the main lessons, in this case, he said, is that controllers may already have information about a security incident and data breach that constitutes “awareness” as a very early stage as defined in Article 4(12) of the GDPR. Booking.com was initially alerted by email 9 Jan. 2019 by one of the concerned UAE hotels to suspicious activity following a customer complaint about a call regarding their reservation. In itself, this isolated incident alone did not necessarily constitute awareness of a breach. However, when Booking.com received a second email 13 Jan. over a similar incident from the same hotel, the company should have realized that it had an issue on its hands. The Dutch DPA concluded that the company should have been “aware” of a breach as of 13 Jan.
Booking.com, however, took the position that it had to conduct an internal security investigation in a first instance to conclude that a breach had, in fact, occurred. That investigation was concluded 4 Feb. The notification to the Dutch DPA followed 7 Feb., and in doing so, Booking.com was of the view that they fulfilled their obligation within the 72-hour time frame. However, in their notification filing, they stated they had become aware of the incident 10 Jan. — this is what triggered the regulatory investigation.
In a statement by the Dutch authority, Vice President Monique Verdier said, “This is a serious violation, a data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.” Terstegge added that in accordance with the DPA's fining policy, the standard fine for violation of Article 33(1) of the GDPR is 525,000 euros. Booking.com got a 50,000 euro discount for having taken action to reduce the impact on the data subjects, including the reimbursing of any financial loss. Notably, Booking.com will not object or appeal against the fine issued by the DPA.
My concluding take is this: Data controllers should file their initial notification as soon as possible to avoid being on the receiving end of expensive and arguably avoidable repercussions.