Site icon Sophos News

Too slow! Booking.com fined for not reporting data breach fast enough

The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.

Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough:

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people

According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.

The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.

With these purloined logins, the crooks retrieved data about 4109 customers’ bookings, including at least those customers’ names, addresses and phone numbers.

However, the crooks also got hold of credit card data from 283 of those bookings, including 97 bookings where the CVV had been recorded as well.

The CVV is the security code (usually three digits) that’s printed at the end of the signature strip on the back of your card, but not stored digitally anywhere else, neither on the magstripe nor on the chip.

Loosely speaking, the payment card industry says that CVVs should not be saved to permanent storage at all, at least after a transaction is complete.

However, those codes frequently do get saved temporarily, assuming that the transaction isn’t processed immediately, leading to the risk of exposure if ever they are displayed or recovered later on.

The DPA also claims that the same criminals tried to extract personal data by calling up hotels and pretending to be from Booking.com itself, though it’s not clear if that part of the scam worked as planned.

What’s the risk?

Even without your credit card data, crooks who have the “gift of the gab”, and who know the precise details of a hotel stay you already booked, are in a prime position to scam you with a fake call, or even a bogus email phrased in the right way.

As Monique Verdier, deputy chair of the DPA, pointed out in the Authority’s report:

By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.

After all, many of us will have had offers of this sort from legitimate companies such as car rental firms and hotels, where we get contacted ahead of a reservation we already, made, asking if we want to upgrade, or to extend our booking, or to pay in advance to get a cheaper rate, and so on.

How was it disclosed

The DPA report lists the timeline of this incident as follows:

Not good enough, says the DPA!

Companies have 72 hours to submit reports from the time they know that a breach has occurred, not 72 hours after customers have been notified.

By that metric, Booking.com should have reported to the DPA by 16 January 2021, 22 days earlier than it did:

Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.

What to do?

Exit mobile version