The Dutch Data Protection Authority has recently issued a fine of €475,000 to the online touristic operator Booking.com for having notified a data breach to the DPA with a sensible delay.
The data breach
The staff of about 40 Hotels located in the United Arab Emirates were cheated by a telephone scam and convinced to disclose their personal account details of a Booking.com system. By attacking this system, the hackers could have access to the personal data of over 4000 Booking.com clients who booked a room in those Hotels. Besides identification and contact data, also credit card details of more than 300 individuals were affected by the unlawful access. While Booking.com came to knowledge of the data breach on the 13th January 2019, the breach was only reported 22 days later to the DPA and to the data subjects involved, to which compensation for losses was also offered. The reasons of the delay where not detailed but it is known that the fine will not be objected. The Dutch DPA lead the case being The Netherlands the Country where Booking.com HQs are based but due to the international scope of the data breach, also other European DPAs were involved under the coordination of the Dutch DPA to conduct the investigations.
The position of the Dutch DPA
The Dutch Authority, besides imposing a huge fine to the tour operator provider, expressed concern about the data breach since this kind of incidents may lead to further phishing attacks by using the data affected.
The DPA did not consider the delay acceptable due to the fact that a prompt notification to the DPA and to the data subject may be of critical importance in reducing the time frame in which the criminals may take advantage of the data stolen and therefore cause damages to the data subjects. This failure was considered more serious due to the size of the company and the amount of data hold in its systems, for which a “huge responsibility” derives (as stated by Ms Verdier, Dutch DPA deputy chairperson).
The fine of the DPA on the delay in reporting the data breach shows the importance of a prompt intervention including the communication to the Authorities that should follow in the unlucky event of a data breach suffered by a company. A 22 days of delay is far distant from the deadline of 72 hours mandated by GDPR, therefore such a gap in informing the leading Authority may give a considerable advantage to the criminals especially if the data subjects are not appropriately informed of the risk that they are running. The Dutch DPA underlined that the security measures that company must ensure should include not only providing adequate instruments and a framework to prevent data breaches to happen, but also to react promptly in case personal data are affected by violations of security.