April 14, 2021

Online travel reservations company agrees to €475,000 GDPR fine

On March 31, 2021, the Autoriteit Persoonsgegevens, the data protection authority of the Netherlands, announced that it had reached a settlement with the online travel reservations company Booking.com.  The company, which is based in the Netherlands, agreed to pay a fine of €475,000 to resolve the authorities’ investigation of the company’s failure to report a December 2018 data breach within the 72 hour timeframe permitted by the General Data Protection Regulation.

According to the Autoriteit Persoonsgegevens, Booking had notice of the breach on January 13, 2019, but did not report it to the authorities until February 7th.  The breach exposed the personal data of over 4,000 consumers, including names, addresses, telephone numbers and hotel reservation details.  The hackers used the stolen information to conduct a phishing campaign against Booking customers; they obtained credit card details of 283 individuals, and the security code of over 30% of those.

In its statement about the fine, the Autoriteit Persoonsgegevens emphasized the importance of prompt notification, remarking on the increase in data breaches and breach attempts in recent years, and noting that Booking.com does not intend to appeal the fine. 

Autoriteit Persoonsgevens press release