Too slow! Booking.com fined for not reporting data breach fast enough

The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.

Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough:

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people

According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.

The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.

With these purloined logins, the crooks retrieved data about 4109 customers’ bookings, including at least those customers’ names, addresses and phone numbers.

However, the crooks also got hold of credit card data from 283 of those bookings, including 97 bookings where the CVV had been recorded as well.

The CVV is the security code (usually three digits) that’s printed at the end of the signature strip on the back of your card, but not stored digitally anywhere else, neither on the magstripe nor on the chip.

Loosely speaking, the payment card industry says that CVVs should not be saved to permanent storage at all, at least after a transaction is complete.

However, those codes frequently do get saved temporarily, assuming that the transaction isn’t processed immediately, leading to the risk of exposure if ever they are displayed or recovered later on.

The DPA also claims that the same criminals tried to extract personal data by calling up hotels and pretending to be from Booking.com itself, though it’s not clear if that part of the scam worked as planned.

What’s the risk?

Even without your credit card data, crooks who have the “gift of the gab”, and who know the precise details of a hotel stay you already booked, are in a prime position to scam you with a fake call, or even a bogus email phrased in the right way.

As Monique Verdier, deputy chair of the DPA, pointed out in the Authority’s report:

By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.

After all, many of us will have had offers of this sort from legitimate companies such as car rental firms and hotels, where we get contacted ahead of a reservation we already, made, asking if we want to upgrade, or to extend our booking, or to pay in advance to get a cheaper rate, and so on.

How was it disclosed

The DPA report lists the timeline of this incident as follows:

• December 2018: Data breach started
• 13 January 2019: Booking.com became aware of the leak.
• 04 February 2019: Booking.com informed affected customers.
• 07 February 2019: Booking.com informed the Data Protection Authority.

Not good enough, says the DPA!

Companies have 72 hours to submit reports from the time they know that a breach has occurred, not 72 hours after customers have been notified.

By that metric, Booking.com should have reported to the DPA by 16 January 2021, 22 days earlier than it did:

Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.

What to do?

• Make sure your staff feel empowered to stand up to social engineers. Teach your staff that it’s perfectly acceptable to say, “No” to people who call up and try to trick, sweet-talk or scare them into revealing information that is supposed to be confidential. Why not get your staff to listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert? This podcast will give you the confidence and understanding to stick to our mantra of “if in doubt, don’t give it out.”

  LISTEN NOW

  Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

• Have somewhere for staff to report suspcious calls and messages. Most staff want to do the right thing when it comes to cybersecurity, so create a well-known internal email or phone number where they can report contacts that look phishy. Treat your users with respect and you can turn them into extra eyes and ears for your security team.
• Have a plan for what to do if the worst happens. It’s not admitting guilt or a sign of incompetence to make plans in case of a data breach, because won’t have time to plan afterwards! Even the DPA admits that “a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.” Make sure you know what you need to do, just in case.

  WATCH NOW

  ---