According to the EU’s foremost privacy regulator, the fine was imposed because of a security breach’s late report. The hotel booking website had undergone a security breach on January 13, 2019, but did not report until February 7. As a legally registered business in Amsterdam, Netherlands, the law dictates that the company should have reported the case within 72 hours. Its failure to report the case was a violation of privacy regulation in the country, hence the fine. In an official statement, VP of Dutch regulator Monique Verdier said:
Over 4,000 customers affected
The security breach affected more than 4,000 customers of hotel booking service providers, a report says. Out of this number of customers who booked a hotel in UAE, the credit card details of almost 300 customers were stolen. After almost a month of the attack, the company’s report of the security breach neither helps prevent damage to customers nor prevents the recurrence of attacks. This is not the first time Booking.com is facing an attack. In November 2020, the platform experienced another attack with millions of its customers’ data potentially exposed. The investigation found that the breach was caused by Booking.com reservation company Prestige Software storing customers’ payment details with no protection. Any customer who had booked with the company since 2013 was affected by the breach.
Things got out of hand
Booking.com has admitted its failure in reporting the breach in time. However, in its defense, the company’s spokesperson said they were working internally to resolve the issue, but things got out of hand. As a result, the company had no choice but to report to the regulator, at which time the card details of hundreds had leaked.