Booking.com B.V.
Issued by Autoriteit Persoonsgegevens (AP) on 2020-12-15
What happened
The Dutch Data Protection Authority (AP) fined Booking.com €475,000 for failing to report a personal data breach within the 72-hour deadline required by GDPR. In late 2018, criminals used social engineering to obtain login credentials from employees of over 40 hotels in the UAE. The attackers then used these credentials to access personal data of over 4,100 Booking.com customers, including names, addresses, phone numbers, and credit card details of 283 individuals. Booking.com learned of the breach on January 13, 2019, but did not report it to the Dutch DPA until February 7, 2019 — 22 days late. The company also failed to notify affected individuals within the required timeframe.
Articles violated
Lessons learned
The 72-hour breach notification deadline starts from the moment the organization becomes aware of the breach, not from when the investigation is complete. Companies must have incident response procedures that can identify and escalate breaches rapidly. Even if the root cause is a partner's security failure (hotel employees being phished), the data controller must still report promptly. Having a clear breach notification protocol with defined roles and escalation paths is essential to meet the tight GDPR deadline.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Hospitality
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.