Fine for late notification of data protection breach

Booking.com was fined €475,000 by the Dutch Data Protection Authority (AP) for failing to meet the deadline for reporting a data breach.
 
Booking.com has its global headquarters in the Netherlands. It is an international corporation with customers from a wide range of countries. The investigation of Booking.com following the breach was therefore an international audit and the Dutch data protection authority cooperated with other European data protection authorities.
 
As part of the data breach, criminals had stolen personal data of more than 4,000 customers and gained access to credit card data of nearly 3,000 customers.
 
The criminals extracted login data from a Booking.com system of about 40 hotels in the United Arab Emirates. Thus, as early as December 2018, they gained access to the data of 4,109 people who had booked a hotel room in this country via the website. This included names, addresses and telephone numbers as well as details of the booking. This also allowed them to view the credit card details of 283 people, ncluding the credit card security code in 97 cases. By posing as Booking.com employees via email or phone, they also tried to obtain the credit card details of other victims.
 
What data protection breach did Booking.com commit?

Booking.com became aware of the data leak on 13 January 2019, but did not report the incident to the authority until 7 February. As it is mandatory to report a data breach within 72 hours via the “Data Breach Reporting Desk”, this was clearly too late at 22 days.
 

Booking.com first notified affected customers of the leak on 4 February 2019 and took further steps to mitigate the damage, such as offering to compensate damages.
 
“This is a serious breach,” said a spokesperson for the Dutch Data Protection Authority. “A data breach can unfortunately occur anywhere, even if you have taken good precautions. However, to avoid damage to your customers and the recurrence of such a data breach, you need to report it in a timely manner. Such a big company with valuable personal data of millions of customers in its systems has a big responsibility. Customers trust Booking.com with their personal data. And they need to do everything they can to protect that data properly. That means good security to prevent a leak, but also fast action if something unexpectedly goes wrong. “