Booking.com has been fined over half a million USD for failing to report a serious data breach within time limits set forth by the General Data Protection Regulation (GDPR). The company was aware of the breach back in 2019 when scammers targeted roughly 40 different employees at various hotels located in the United Arab Emirates. The attackers were able to obtain login credentials to the Booking.com system. The malicious actors then accessed the personal details of over 4,100 customers who had utilized the site to book a hotel room.
The information exposed in the attacks includes names, credit card details, and security (CVV) codes for 97 of the 283 credit card victims. Booking.com failed to notify its customers, putting them at risk for credit card theft and identity theft. Although the breach was not Booking.com’s fault, the travel giant did not report the breach until 22 days after being notified of the attack. The GDPR mandates that companies must report breaches within 72 hours of becoming aware of the attack.
Read More: Booking.com Fined $558,000 for Late Breach Notification