Close-up view of Booking.com logo on its website showing fine due to late data breach notification

Hefty Fine for Booking.com Due to Delayed Data Breach Notification; With Little Financial Information Stolen, Is the Amount Excessive?

Booking.com has been hit with a €475,000 fine (about $558,000) for a 2018 incident that saw several thousand United Arab Emirates (UAE) hotel guests have their personal information exposed. A relatively small amount of credit card numbers were leaked, but the primary determiner of the fine amount is the fact that Booking.com waited 22 days to report the incident to the appropriate authorities. The EU General Data Protection Regulation (GDPR) requires that organizations issue data breach notifications within 72 hours after becoming aware of an incident. The large amount of the fine is a point of contention as it stretches to the limit of what the GDPR allows for an incident that included relatively little sensitive personal information, but bucks what has been a recent trend of leniency toward the travel industry.

Is policing of data breach notifications becoming more strict?

The personal information of about 4,100 customers who booked hotels in the UAE in 2018 was exposed in the breach, but only 283 of these had credit card details exposed (97 had the CVV security code exposed along with the full card number). An investigation determined that Booking.com was not directly at fault for the breach, given that it targeted customer service agents at individual hotels in the region, but the company was penalized for its slow notification response. The Netherlands-based company became aware of the incident on January 13, 2019 but did not report it to the Dutch data protection authority (the AP) until February 7.

While the fine amount is not one of the largest seen under the GDPR (the top fines have ranged up into the tens of millions of Euros), it is the largest that a DPA has issued to a company that was only found to be responsible for a late data breach notification. The amount is also not all that far below the top 10 largest GDPR fines across the EU for 2020, and it is one of the largest fines that the Dutch DPA specifically has issued to date.

Monique Verdier, vice president of the Dutch AP, argued that Booking.com’s failure to issue a timely data breach notification is just as serious a component of the incident as the actual social engineering attack against the hotels: “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time.” There is merit to this argument given that the attackers appeared to be exploiting some sort of repeatable vulnerability in Booking.com’s phone authentication protocols, able to convince workers at a number of UAE hotels that they were legitimate employees of the company. Booking.com appears to have agreed with this assessment, telling Dutch reporters that there are no plans to contest the fine amount (but stressing that the issue had nothing to do with its security practices).

Regulators more forgiving towards travel industry

Booking.com’s immediate acquiescence is somewhat surprising given that EU regulators have tended to be forgiving of companies in the travel industry, particularly during the pandemic. The Marriott data breach of 2018 was one of the largest of its type of all time, but was ultimately reduced to $23.8 million in October from an initial assessment of $123 million. Similarly, the major British Airways incident of 2018 was reduced to $26 million that month from an initial proposed $238 million. Each involved more serious issues than a data breach notification, with the companies involved found responsible for the loss of millions of records of sensitive personal and financial information.

The Dutch DPA did not play a role in those decisions, however. It is thus unclear if this signals a trend in the EU toward stricter enforcement of slow data breach notifications, or if companies based in the Netherlands are going to be subject to tougher standards in this area. Ilia Kolochenko, Founder and Chief Architect at ImmuniWeb, believes that the European Data Protection Board may decide to weigh in on this particular issue: “The fine seems to be severe given that sensitive data of just 300 people was compromised among 4000 victims that were somehow affected. The Dutch DPA exercised its discretion to impose fines under Article 83 of GDPR in a broad manner, and it seems to be an unambiguous signal of zero tolerance for late data breach reports … The European Data Protection Board will probably intervene and bring more clarity on this specific misconduct in terms of gravity and subsequent punishability. In any case, this precedent evidences that victims of data breaches are to rigorously follow Article 33 of the GDPR and notify the competent DPA within 72 hours as prescribed.”

Twitter was recently in a similar situation regarding a fine for a slow data breach notification, and the ultimate amount that it was assessed (by the Irish DPA) was very similar. That fine amount was widely criticized as being too small, but there were extra layers of complication in the circumstances of that case. Twitter initially faced more charges, with the issue stemming from a glitch that had exposed the private tweets of certain users to the public for a period of four  years. The case involved heavy deliberation among the EU’s DPAs and put a spotlight on a pattern of slow enforcement and low fine amounts by the Irish DPA. Twitter was ultimately fined about $546,000 for its late data breach notification, which it blamed on inadequate staffing during the Christmas 2018 holiday.