Booking.com B.V. – €475,000 Fine (Netherlands, 2020)

On 7 February 2019 Booking.com (Booking) submitted a data breach notification to the AP. An unknown person(s) gained access to the reservation system of Booking by pretending to be a Booking employee. About 40 accommodations in the United Arab Emirates Personal were affected. Personal data of guests from different EU and non-EU countries were exposed. Booking stated in the notification that they became aware of the breach on 10 January 2019, which triggered an AP investigation under Article 33(1) GDPR (obligation to notify the supervisory authority about a breach within 72 hours). Booking maintains the reservation platform where the so called “Trip Providers” can offer accommodation, flights, car rentals and day trips to the users of Booking. These users have to give the contact-, reservation and payment data in order to complete the reservation. That information is then shared with the Trip Providers via Extranet, an online administration dashboard for reservations. Access to Extranet is secured: representatives of Trip Providers have to fill in a username, password and a “2FA pin code”. This breach was a result of what is called by AP a social engineering attack: an unknown person contacted a Trip Provider by the phone and obtained a username, password and the “2FA pin code” necessary to access Extranet by pretending to be a Booking employee. Personal data of about 4109 guest got compromised, including first and last names, addresses, phone numbers, check-in and check-out dates, total price, price per night, reservation numbers, communication between hotels and guests, 283 credit card details with CVCs of about 97 of them. Timeline on the breach. 19 December 2018 – social engineering phone call, start of the incident 9 January 2019 – 1st email to Booking from accommodation 1. A guest of that hotel had been approached by email sent from a Hotmail account by a “reservation employee”. The “employee” had asked for he guest’s birth date, which was necessary to complet