Following an international investigation in cooperation with other European privacy regulators, on 31 March 2021 the Dutch data protection authority (“Autoriteit Persoonsgegevens – AP”) released its decision (available here in Dutch) to impose a fine of €475,000 on Booking.com (incorporated in Amsterdam) arising from their delays in reporting a data breach incident (the “Breach“).
Breach
The Breach arose from a December 2018 incident, where staff members at several hotels in the UAE were persuaded to reveal their log-in details for their Booking.com system accounts to telephone scammers. Subsequently, over 4,000 customer records were accessed by the scammers during the Breach, which included credit card information of nearly 300 customers. The AP said there had been a high risk to affected customers because of subsequent phishing attacks undertaken with the information.
Notification
Booking.com received several emails in January 2019 (on 8 January 2019, 13 January 2019, and 20…
