Blog details

Dutch DPA imposes fine for delayed report of a data breach

Dutch DPA imposes fine for delayed report of a data breach

Dutch DPA imposes fine on international travel agency booking.com, for their delayed action in reporting a significant data breach. 


Netherlands based international travel agency, Booking.com was recently hit with a fine for their delayed action in reporting a data breach. The breach was discovered on January 13, 2019, after having occurred in December of 2018. However the incident was not reported to the DPA until February 7th 2019. Data breaches must be reported to the relevant authorities within 72 hours of their discovery, making this report about 22 days late. As a result, the Dutch DPA imposed a fine of €475,000 on the company. 


Because booking.com is an international company with customers from a range of different countries, the investigation into the breach was international in scope. The investigation however was conducted by the Dutch DPA, due to the fact that the company is based in the Netherlands. 


Cyber criminals posed as booking.com staff in emails and on the phone in order to steal personal information. 


These cyber criminals were able to collect information by posing as booking.com staff in emails and on the telephone. This scam targeted 40 hotels in the UAE in December 2018. The phishers, by using the booking information of these customers to appear more credible when posing as booking.com staff, attempted to gather as much personal and financial information on as many customers as they could, in order to steal money from them. This data included login credentials, as well as financial information. The scope of this data breach was so wide that the criminals were able to access the data of over 4000 people, including the credit card information of over 280 people. In 97 of those cases, even the security code for the credit card was obtained.


Booking.com does not object to the fine imposed and has compensated their customers for the financial losses suffered as a result of the breach. 


Although booking.com was made aware of the breach on 13 January 2019, it was not until February 4, 2019 that they informed the affected customers. Further still, the company waited until February 8 to inform the DPA of the breach. The company has offered several solutions including financial compensation for any losses suffered by their customers. Booking.com will not lodge any objections or apply for review of the fine imposed. 


There has been a significant increase in cyber crimes over the past year, making enhanced security measures even more invaluable. 


In recent times, particularly since 2020 there has been a significant increase in personal data theft and related attempts. 2020 saw a rise of 30% more data theft than the previous year. Many individuals have personally fallen victim and suffered financial losses as a result of phishing and other forms of data theft for the purposes of accessing financial information. DPAs have remarked on the explosive increase in these cases over the last year. Enhanced security, as well as timely reporting in the event of a breach, can greatly reduce the impact that this sort of theft has on individuals. 


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Prev post
La filtración de datos de Facebook afecta a más de 500 millones de usuarios en todo el mundo
April 14, 2021
Next post
La autoridad de control de los Países Bajos impone una multa por no informar de una brecha de seguridad en plazo
April 16, 2021

Leave a Comment