English
French
German
The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.
Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough:
The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people
According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.
The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.
With these purloined logins, the crooks retrieved data about 4109 customers’ bookings, including at least those customers’ names, addresses and phone numbers.
However, the crooks also got hold of credit card data from 283 of those bookings, including 97 bookings where the CVV had been recorded as well.
The CVV is the security code (usually three digits) that’s printed at the end of the signature strip on the back of your card, but not stored digitally anywhere else, neither on the magstripe nor on the chip.
Loosely speaking, the payment card industry says that CVVs should not be saved to permanent storage at all, at least after a transaction is complete.
However, those codes frequently do get saved temporarily, assuming that the transaction isn’t processed immediately, leading to the risk of exposure if ever they are displayed or recovered later on.
The DPA also claims that the same criminals tried to extract personal data by calling up hotels and pretending to be from Booking.com itself, though it’s not clear if that part of the scam worked as planned.
