Dutch DPA fines Booking.com for delay in reporting data breach

Booking.com has been fined with €475,000 for delay in reporting a severe data breach, the Dutch Data Protection Authority (DPA) has reported.

The breach allowed criminals to obtain the personal data of 4,109 customers, as well the credit card information of 283 people; in 97 cases criminals got the credit card security code.

The events ocurred in December 2018, when the criminals convinced –through a telephone scam– the hotel staff of 40 hotels in the United Arab Emirates to reveal the log-in details in the Booking.com system of 4,109 customers who had booked a hotel room in their facilities in the EUA. Data included names, addresses, telephone numbers and booking information.


“Booking.com customers ran a risk of falling victim to serious theft even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions.”

Monique Verdier, Dutch DPA deputy chair


Booking.com reported the data breach to the Dutch DPA on 7 February 2019, 22 days after the company had been informed of it (13 January), when data breaches must be reported –both companies and public authorities– immediately, within 72 hours at most.

Booking.com informed the affected customers on 4 February 2019, offering different measures to compensate the damage.

“Taking rapid action is essential, not least for the victims of the breach. After receiving a report the (Dutch) DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.”

Monique Verdier, Dutch DPA deputy chair


Booking.com will accept the fine and will not apply for review of the decision or lodge an objection to.


The Netherlands are Booking.com’s global headquarters, the reason why the inquiry was carried out by the Dutch DPA. The Dutch DPA coordinated the investigation with other European data protection supervisory authorities as it is an ineluctably international matter.


#DataProtection #Privacy #DataPrivacy #GDPR #RGDP #APD #phising

Contiac Abogados