Booking.com fined €475,000 over delay in reporting a breach
Monday, April 5, 2021
The Dutch Data Protection Authority (AP) has imposed a fine of over £400,000 on Booking.com for reporting a security incident twenty-two days after discovering it, instead of the mandated 72 hours.
Commenting on the fine issued to Booking.com, Ilia Kolochenko, founder and Chief Architect of ImmuniWeb, told Teiss that the fine seems to be severe given that sensitive data of just 300 people was compromised among 4,000 victims that were somehow affected.
“The Dutch DPA exercised its discretion to impose fines under Article 83 of GDPR in a broad manner, and it seems to be an unambiguous signal of zero tolerance for late data breach reports. From the Booking.com statement, it’s unclear whether it will appeal the sanction as disproportionally harsh in light of the unprecedented lenience towards Marriott and BA by the UK regulator.
“The European Data Protection Board will probably intervene and bring more clarity on this specific misconduct in terms of gravity and subsequent punishability. In any case, this precedent evidences that victims of data breaches are to rigorously follow Article 33 of the GDPR and notify the competent DPA within 72 hours as prescribed,” he added. Read Full Article
Computing: Booking.com fined €475,000 for late reporting of data breach
ComputerWeekly: Ransomware attack on London schools highlights warnings