Security News > 2021 > April > Dutch watchdog fines Booking.com €475k after it kept customer data thefts quiet for more than 3 weeks

The Netherlands Data Protection Authority has fined Booking.com €475,000 for notifying it too late that criminals had accessed the data of 4,109 people who booked a hotel room via the website.

They then gained access to data including users' names, addresses, telephone numbers, and details about their booking.

The watchdog added that the data that was kept in the Extranet included first names, last names, addresses, telephone numbers, check-in and check-out dates, total price, reservation numbers, any correspondence between the hotel and the guests and - for 283 parties - their payment card details.

The AP said the company had been notified of the data leak on 13 January, 2019, but had not reported this to the watchdog until 7 February, noting: "That is 22 days late."

Under article 33 of the European General Data Protection Regulation, companies are mandated to report a "Data breach" within 72 hours.

Booking is headquartered in Amsterdam, hence the ruling from the Dutch data protection authority.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/01/booking_dot_com_fine/