The Dutch Data Protection Authority (AP) imposed a € 475,000 fine on Booking.com (whose headquarters are in the Netherlands) because of its delay in reporting a data breach to the agency. In the breach, in 2018, criminals stole the personal data of more than 4,000 customers and also managed to obtain credit card details from nearly 300 victims. Criminals obtained login credentials for accessing the Booking.com system through phone calls to employees at 40 hotels in the United Arab Emirates.
As a result, in December 2018, criminals had access to the data of 4,109 people who made hotel reservations in that country through Booking. The data included names, addresses, phone numbers and other details about the reservation. Criminals also had access to credit card details for 283 people, including the card’s security code in 97 cases. In addition, they attempted to obtain credit card details from other victims by email or telephone by posing as Booking.com employees.
“Booking.com customers were at risk of being ripped off here,” said AP vice president Monique Verdier. Even if the criminals did not steal your credit card details, just someone’s name, contact details and hotel reservation information. Scammers used this data for phishing. ”
Booking.com was notified of the data breach on January 13, 2019, but only informed the AP on February 7 of that year. The company was under an obligation to report the data breach within 72 hours. Booking.com notified affected customers of the breach on February 4, 2019. The company has taken other measures to limit the damage, such as offering compensation for any damages.
“Booking.com’s investigation was international,” the Dutch AP said in a statement. “It is an international company with customers from different countries. Booking.com and has its global headquarters in the Netherlands. That is why the AP conducted this investigation. As it is an international issue, the Dutch DPA coordinated the investigation with the other European privacy regulators ”.
The data breach notification obligation means that both companies and governments must immediately (and within 72 hours at the latest) report serious data breaches to the AP. In 2020, AP saw an explosive increase in the number of hacks aimed at stealing personal data. The number of complaints has increased by no less than 30% in 2020 compared to 2019, according to the Data Leakage Report 2020.
With international news agencies
See the original post at: https://www.cisoadvisor.com.br/atraso-na-comunicacao-de-incidente-da-multa-de-e-755-mil-ao-booking-com/?rand=59039