The Dutch Data Protection Authority (DPA) has imposed a fine of € 475,000 on travel website Booking.com for its late reporting of a data breach. Criminals stole login details from employees of hotels in Dubai by phone. This gave them access to the personal details of 4,109 people. They also managed to steal the credit card details of more than 300 customers.

Booking.com was notified of the data breach on January 13, 2019. However, they did not report this leak until February 7, 2019, where according to the General Data Protection Act (AVG) such a leak must be reported within 72 hours. Booking.com was therefore 22 days late in reporting the data leak. Booking.com acknowledges that it reported the leak too late. Booking.com states that since then its systems in the field of privacy and security have been optimized to exclude such a leak and the subsequent late notification.

Do you have questions about privacy law or need advice? Feel free to contact lawyer Arsen Mukuchian.

April 2, 2021

Source: Data Protection Authority