Booking.com B.V. – €475,000 Fine (Netherlands, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Booking.com reported a data breach where an unknown person tricked a Trip Provider into giving them access to sensitive information. This breach exposed personal data of over 4,100 guests, including names, addresses, and credit card details. The fine of €475,000 highlights the importance of notifying authorities quickly when a breach occurs.
What happened
An unknown person accessed Booking.com's reservation system by impersonating an employee.
Who was affected
Guests who made reservations through Booking.com and had their personal data exposed.
What the authority found
The authority fined Booking.com €475,000 for failing to notify the supervisory authority about the breach within the required 72 hours.
Why this matters
This case emphasizes the need for companies to have strong security measures and to act quickly in reporting breaches. It serves as a reminder for online businesses to prioritize data protection and compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 7 February 2019 Booking.com (Booking) submitted a data breach notification to the AP. An unknown person(s) gained access to the reservation system of Booking by pretending to be a Booking employee. About 40 accommodations in the United Arab Emirates Personal were affected. Personal data of guests from different EU and non-EU countries were exposed. Booking stated in the notification that they became aware of the breach on 10 January 2019, which triggered an AP investigation under Article 33(1) GDPR (obligation to notify the supervisory authority about a breach within 72 hours). Booking maintains the reservation platform where the so called “Trip Providers” can offer accommodation, flights, car rentals and day trips to the users of Booking. These users have to give the contact-, reservation and payment data in order to complete the reservation. That information is then shared with the Trip Providers via Extranet, an online administration dashboard for reservations. Access to Extranet is secured: representatives of Trip Providers have to fill in a username, password and a “2FA pin code”. This breach was a result of what is called by AP a social engineering attack: an unknown person contacted a Trip Provider by the phone and obtained a username, password and the “2FA pin code” necessary to access Extranet by pretending to be a Booking employee. Personal data of about 4109 guest got compromised, including first and last names, addresses, phone numbers, check-in and check-out dates, total price, price per night, reservation numbers, communication between hotels and guests, 283 credit card details with CVCs of about 97 of them. Timeline on the breach. 19 December 2018 – social engineering phone call, start of the incident 9 January 2019 – 1st email to Booking from accommodation 1. A guest of that hotel had been approached by email sent from a Hotmail account by a “reservation employee”. The “employee” had asked for he guest’s birth date, which was necessary to complet
Related Enforcement Actions (0)
No other enforcement actions found for Booking.com B.V. in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 December 2020
Authority
Autoriteit Persoonsgegevens
Fine Amount
€475,000
Enforcement Tracker ID
ETid-612
GDPRhub ID
gdprhub-3323About this data
Cite as: Cookie Fines. Booking.com B.V. - Netherlands (2020). Retrieved from cookiefines.eu
Last updated: