The Netherlands data protection authority fined the Booking.com hotel booking platform € 475,000 – about R $ 3.1 million in direct currency conversion.
The reason is a behavior considered inappropriate in the case of cyber attacks, according to European Union regulations, the GDPR. The service had data accessed by third parties, but it took 22 days to report the incident. In legislation, the maximum allowed time is 72 hours after discovering the security breach.
In response to the fine, Booking.com acknowledged the flaw and will not appeal against the fee. In addition, the company reinforces that it has taken all necessary measures to ensure the safety of customers, including its own investigative measures that led to the delay in notifying the authorities.
According to The Record, the invasion took place in December 2018 and resulted in the data collection of 4,109 people who booked a room in a hotel in the United Arab Emirates.
Credit card numbers and their security codes were also accessed, and in some cases, criminals even contacted victims pretending to be from Booking.com to apply scams.
The invasion was possible after the bandits gained access to the credentials of one of the platform’s employees, using techniques not detailed in the report.