Accommodation booking website Booking.com has been fined €475,000 by the Dutch Authority for Personal Data (Autoriteit Persoonsgegevens) for reporting a data breach too late.
In December 2018, criminals stole the personal data of more than 4,000 customers including the credit card details of 300 customers through a data breach at booking.com.
The criminals captured their Booking.com login details from employees of 40 hotels in the United Arab Emirates. They used these credentials to steal names, addresses and telephone details of 4,109 customers who had booked a hotel room in the United Arab Emirates via the booking site.
Booking.com was notified of the data breach on 13 January 2019, but did not report it to the Personal Data Authority until 22 days later. A data breach must be reported to the Personal Data Authority within 72 hours.