They have a $100B enterprise value, and make ~$4B/year in GAAP income. This is not even the yearly cost of a higher level lawyer. If you make $200k/year then the fine would correspond to a $30 ticket. Lol, just lol.
This fine is just for their Dutch operations, which is far smaller than their global operation. I estimate this to be about 1% of their expenses in NL, so in your analogy, this'd be a $2k fine.
Also: the crime isn't that bad. They did reported the breach on their own accord, and acted according to the laws at hand. The report may have been two weeks too late, but it was there. Their preventative measures and reaction were deemed good enough, just not timely. A crippling fine wouldn't have been appropriate, given the verdict.
The company could have avoided the fine by doing exactly the same thing they did, just a little faster. The fine counterbalances the cost-savings they may have had by having fewer people work on this. A future manager will probably see the fine, and decide just to put a little more resources into this, so the report can be on time. When that happens, the fine has served its purpose.
Your are right, in the context lawyers/regulators/etc. are operating within.
OTOH, in a wider context, you have to concede OP's "lol" perspective is true too. The money itself has little/no possible deterrent effect.
"Just for their Dutch operations" is a lawyerly frame... it isn't a business frame. booking.com's Dutch business operations aren't really separate. Any security/transparency practices beyond "compliance" almost certainly exist across borders.
I agree though that a fine (any amount) can be enough to adjust resources/practices on a small scale. On a bigger scale, the threat of a fine (any amount) probably is not enough to deter much. IE, if changes are strategic, costly or impact revenue... a fine will always be cheaper.
I think this is the total fine for the entire EU. Usually one of the Data Protection Authorities takes charge of the investigations, and since Booking has their HQ in Amsterdam, it was the Dutch one in this case. They mention that they coordinated with other DPAs.
I guess the idea is to make it hurt, not ruin a business. How would 0.5M fine hurt a business with 4B revenue you may ask, but I think that it will hurt the people responsible for the leak since it will be known within the company that someone screwed up or someone is pure evil, two labels that you don't want to get in a workplace.
Companies spend a lot of money and energy on projecting an image, not only to the outsider but also to the insiders.
Unless they pride themselves for being evil and the cut-throat office politics, I bet this fine will make a dent in someones image and will trigger some policy change or similar.
Companies are not really monoliths, despite of their effort to be seen as such.
I don’t think the idea is to “make it hurt” so much as to make compliance more affordable than non-compliance. If the “right” response to a data breach is also the most cost effective then it’s infinitely more likely that a business will pursue the right response. Unfortunately, the right response is most often the most expensive and so is actively avoided by management because, at the moment at least, sweeping it under the rug and keeping your mouth shut is free and only a tiny bit of a gamble that someone finds out.
Exactly that. Disclosing earlier would've definitely been cheaper than $500k. And even billion dollar companies care about $500k. Companies that don't care if they spend $500k on a fine or not don't tend to exist for very long.
It looks like the idea is to be very selective about who gets fined. CPS Utrecht ("Veilig Thuis") also got a data leak. Everything got leaked: from files on children, medical files on children and adults, phone calls, emails, ... the works.
The fine? It wasn't even mentioned that a fine would be forthcoming. Until city hall took steps to replace the organisation they refused to modify their systems and stop the still-in-progress leak. It got to be a scandal.
So clearly: the idea is to fine only people they feel like fining. Anything even tangentially related to the government (this is a private for-profit organization (running quite a decent profit I might add, as well as paying management very nicely) that merely works for the government) does not get fined, even for leaking much, much more sensitive information.
Needless to say, CPS has still not changed their processes to better secure medical files. They are still being sent, without any encryption or authentication, over email. So it's not just that they weren't fined: the whole purpose of the data protection law, actually keeping the data safe, was ignored entirely even when they got caught spreading extremely sensitive information around and storing it without encryption.
How in the actual fuck are they still operating? If the government doesn’t do anything about it I’d very quickly expect a mob with pitchforks outside their office.
> Dit is het ergste wat ons kan overkomen
Sounds like they think it’s some sort of natural disaster that happened to them. I have no words.
Thank god it was two good guys registering the domain.
On GDPR, it seems HN has two completely opposing reactions depending on the time since a fine has made headlines. If it's been a while, the prevailing sentiment seems to be "the big bad EU will financially ruin me for my side project if I don't hire a full-time data protection lawyer", and when a fine is actually issued, it's "that's not even a slap on the wrist, who's going to care, lol". It's almost as if EU data protection agencies reacted proportionately to the severity of the misdeed. This is a leak affecting 4109 customers, after all, not a full compromise of booking's systems.
> "the big bad EU will financially ruin me for my side project if I don't hire a full-time data protection lawyer", and when a fine is actually issued, it's "that's not even a slap on the wrist, who's going to care, lol"
The relevant question, then: what is the history of GDPR enforcement against small companies? Personally I have no idea, as typically only the big cases make the front-page.
For example, a police officer was fined 48 euro for accessing "personal data in a police database for private research activities", a housing association was fined 500 euro for "publishing photos showing members of the association without their consent" and Borjamotor, S.A. (which appears to be a Spanish Opel dealership) was fined 4000 euro for "sending commercial advertisements to the data subject via email and SMS, even though the data subject had previously revoked his/her consent to receive advertisements and submitted a request to delete his/her data".
Seems like enforcement appears to be fair and the million-dollar fines that were supposed to bankrupt individuals & small businesses didn't actually happen.
The (Google translated) details[1] of the police officer situation are interesting. He searched his fiancé in the police database and it seems like his employer is the one who reported it to the DPA. I’m actually a bit surprised a police force would report “one of their own” for such an infraction.
Is the fine a "EU fine" or a "Netherlands fine"? I'd expect the fine to be proportional to the territory issuing it, not to the total global value of the company. You would not expect this fine to be e.g. 10% of the company global valuation, and then when other 9 countries issue a similar fine and destroy the company.
Netherlands being 1% of the global GDP, this would be proportional to a $50B "global fine" or 50% of the company valuation. So in that sense, it even seems too big.
EU being 20% of the global GDP, this would be proportional to a $2.5B "global fine" or 2.5%, which IMHO seems small-to-fair for a data leak of this type.
GDPR maximum fines are dictated by global revenue.
>Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
It's a number that will cause them to sit up and take notice, without starting a multi-year legal war. It signals to booking.com and other companies that the regulator is not asleep. The implicit threat is: fix your behaviour, everyone, or worse fines will follow.
I also would be fine as long as "or worse fines will follow" is true.
I would consider as desirable that egregious, systematic and catastrophic security failures would be resulting in fines and penalties large enough to bankrupt companies[0]. But starting from that is rather not a good idea, I agree that some warning is a good idea.
[0] for example 2000$ for every single leaked address that they deliberately collected (if company is scared: then they should not ask user for address data! Companies very rarely actually need it, and they still ask.).
For catastrophic failures the fines certainly become very large very quickly. And follow up fines if behaviour isn't changed do go up as well. So far, it's usually the former as most companies adjust by their first fine.
The size of the fine will probably increase the value of the company and sector as it reduces model assumption for future regulatory penalties now that a precedent has been set.
That number is meaningless for how much a company is hurt by a fine. A market valuation is just based on the current stock price. It doesn’t mean that the company has access to that much cash or assets.
From an investor's perspective it's not meaningless. This is a one-off expense which can be safely ignored. This won't even impact the valuation of my investment, in fact the size of the fine will probably increase the value of the company as it will enable me to reduce my assumption for future regulatory penalties now that a precedent has been set.
Except that repeated violations of GDPR are a cause to increase the fine as per the text.
>When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
>(e) any relevant previous infringements by the controller or processor;
Across the wider sector, the fine is a good data point for investors. Even if the fine was doubled or tripled next time, it will be a outcome that won't really change behaviors.
Keep in mind that if they do it again the fine will be much larger. This isn't the USA, and the Dutch DPA is not the FTC. If Booking.com does this again the next fine will be much larger.
> it is important to note that hotels inadvertently provided their Booking.com account login details to online scammers, there was no compromise of the code or databases that power the Booking.com platform.
Interesting precedent. The platform is responsible not just for their own security practices, but also their users' security practices.
> Interesting precedent. The platform is responsible not just for their own security practices, but also their users' security practices.
Well, not really. Booking didn't get fined over security practices. They got fined over not notifying of a breach of their users data within 72 hours.
So you're not really "responsible for users' security practices", you're "responsible for notifying users/authorities in time when you notice leaks/breaches". Seems rather different to me.
This case is rather complex, because the customers have a contractual relationship both with booking.com and directly with the hotel. This makes it difficult to tell whose responsibility the breach notification is. I would have said that it's the responsibility of the individual hotels here.
Would Facebook have to inform me within 72 hours if someone got access to another account that can read private info of my account? I don't think that Facebook (or similar networks) disclose such breaches. At least I've never seen information on that.
On the other hand, if we consider the hotels as just a "user", why would they have access to full CC details, including security code.
As someone booking a hotel on the site, I would expect booking.com to take responsibility for keeping my payment details secure (or, if they want to operate like a marketplace, make it clear that they're not taking responsibility, but in that case it looses a lot of value toe as an end user)
Traditionally Booking.com operated mostly as a marketplace ("agency" model, as opposed to "merchant" model like Expedia [1]). The contract and the payments are between the guest and the hotel, not between the guest and Booking. (Booking bills the hotel afterwards for the commission, they don't bill the guest for the stay.)
Of course they don't always make this very clear to the consumer, and it seems to have gotten more muddled in the last few years. I think they're trying to nudge people more towards their own payment platform nowadays.
> why would they have access to full CC details, including security code.
yeah I stopped using booking because of this. an hotel decided that the card used for reservation was the one to charge for my stay and charged it the day of arrival and I only discovered later when trying to reserve a rental car and I hit my card limit and couldn't.
that pissed me off in so many ways, first because the booking wasn't a upfront pay but hotel did it anyway, second because booking disclosed my cc details to a third party instead of being a neutral escrow, and third of course because it bite me in the ass at the worst possible moment, as my car broke down and I needed to cover a rental and repairs while sorting out the rest of the travel.
Sounds like you have a habit of not reading terms. For as much as I loath Booking, pay-on-arrival is clearly stated, and there is no escrow because you’re paying the hotel directly.
terms say 'pay at the property', not on arrival, and it say the hotel 'reserves the right to temporarily hold an amount prior to arrival', not that it will charge the stay on your provided card.
The parts you highlighted refer to the online booking, and are correct - no charge to your card happened at the time of booking, you were charged by the hotel on arrival - as is custom on every hotel check in, online booking or not.
On top of that, anyone taking a large payment via CC will usually require payment on the same card used for the authorization hold. Accepting another card is risky as funds can be easily made unavailable before the transaction settles.
You just had wrong expectations - on cc charges, that booking would be a “neutral escrow” or be able/willing to help. I’ve been in a similar situation where they held the entire reservation amount, in the thousands, while having already taken payment, and it’s 100% up to the hotel. They just don’t give a shit.
This is yet another reason why CCs are a terrible idea. Having the funds in a checking account and not being able to use them because of credit limit shenanigans is infuriating.
> you were charged by the hotel on arrival - as is custom on every hotel check in, online booking or not
again, you're over generalizing your personal experience. booking on arrival happened to me exactly once. but you're not listening and keep repeating points that don't really apply to the situation at hand.
Sadly it's not how these platform operates, they provide the card for security deposit usually.
That's why I've used Agoda every time I could (works well in Asia, spotty elsewhere), because they allow paypal payment. Hotel will still want your card for the deposit but you can just provide it on the first day.
This way you don't have to fight with a place that did overbooking or similar and still has your card on file.
While the individuals themselves may be thought of as users, they are employees of 3rd party partners who act as data handlers and/or data processors. As such it is entirely appropriate that the platform is responsible for this compromise (although depending on the terms of the contract, they could seek restitution from the 3rd parties.
If you as a consumer give your booking.com login information to someone and your information is subsequently stolen, Booking.com would not be responsible for your security practices.
Of course, as the leak would be traced to them as well. When it comes to GDPR you'd like to manage the expose and the liability associated with having the data. Normally it should that even the admin operators are not to be trusted with full account/payment/etc. details enmasse and very special care is taken to exports/reports.
I am not sure I am in a position to report it.
I dont have too much detail other than it was Ubquiti levels of "ownage"
Surely the SEC can see (or be made aware of) comments like this and start their own investigations, no?
As far as I know there is no legal basis for them to contact the banks, at least under GDPR. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is there to enforce GDPR and will not add additional requirements.
Right, my suggestion is that it should. Yahoo’s settlement included identity protection or something along those lines. Disclosure to the customer might not always be enough.
This is an effective non-fee for an entity their size. I'd assume we see the associated negative pattern - there's little real legislation impact, meaning there's little value in reporting, when examined economically. Were the fine larger, or more severe the reverse message would be sent.
From a certain (not my) point of view poor compliance was just incentivized.
I disagree. Even in a company the size of Booking, top management cannot think “it’s only half a million”.
I expect some manager will get a strongly-worded message about their department costing the company half a million because they waited too long before reporting the breach. That department, likely, will also see bad evaluations.
I also expect Booking will use this case as an example to all other departments.
And that’s ignoring the fact that, if Booking doesn’t change, and something similar were to happen again, the fine likely would be higher.
One can easily think it's only half a million. That number while large for many organizations, isn't for others. Simply put, it's cheaper to pay this fine than build out the (likely) necessary compliance team. Were the fine commensurate with income I think it would go further.
Half a million here, half a million there and before you know we’re talking real money.
Also, if this article is correct, they have everything in place to handle this kind of breach. In the handling, the only thing that went wrong was that they informed the authority too late. It took them 3 weeks, while it has to happen within 3 days. Booking states they contacted affected customers before that.
If the behavior they were fined for was strategically useful to the company, then they will definitely think “it’s only half a million” and keep doing it unless they think the fine will be much larger next time.
If it was just a fuck-up, then what you're describing will happen.
The fine is about late report, not about lacking security practices/mechanism. It's the first fine - more like a warning - hire couple of people to deal with this as the next fine would be order(s) of magnitude larger.
Matt Taibbi said something during the 2008 financial crisis that has always stuck with me, paraphrasing: “Look at the figure a corporation pays in a fine to a regulator, multiply it by 10, and you’ll have roughy the amount they profited from their misdeed.”
As soon as the respective agencies analysed it and get to it. This doesn't happen over night, but is a more complex process which will quite certainly happen.
GDPR violations aren't a crime. You can be fined multiple times for the same issue if you, for example, are being a complete ass towards the DPA or you refuse to fix underlying issues.
FB is being blocked by the Irish DPA, since EU FB is HQ'd there. Sadly this one loophole made it into the GDPR, so the other DPA's can only forward to the Irish agency for FB issues.
Any purchase I make, the shop needs my address and my payment info. It's always the same. Every browser can autofill it, if they bothered using the correct forms. Once the transaction is done, the invoice mailed and the product shipped - there is 0 need for this data to still be stored in their database.
-> Address and payment info - browser auto fill
-> purchase history - invoice via mail
I used to be heavily biased to buy from Amazon, since it is basically one click. But lately, I'm more and more buying from smaller online shops which provide checkout without user account.
I'm sure there is many things where you need to store user data, but also, there is definitely more things were user data is stored although it is not needed.
And ultimately, that is the spirit of GDPR - ask yourself if you really need to store that data.
BCOM are not processing the payment here. They provide a "Hotel Login" which then let's the hotels view (upto N times) the raw card information of the guest for use internally on their own payment processes. There's various approaches that they make available, this is one of a few. More recently Booking.com started to move away from providing the raw card information and instead providing a virtual card which "Activiation" date only becomes enabled once the cancellation policy for the guest booking kicks in (allowing the hotel to charge before arrival). There's also an API approach, but the leading way to get access to the card/payment information __because__ BCOM are not merchants here is to provide this to the merchants/hotels through a BCOM login page. Reading between the lines, this is what I think was exposed.
There's nothing wrong with storing customer purchase data as long as this is processed and stored in a legally compliant manner. This data is crucial for other things such as returns and refunds.
Proportionality is a big concept in EU law, and it's explciitly written in to the GDPR.
Article 83 ("General conditions for imposing administrative fines") states that:
> Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article [...] shall in each individual case be effective, proportionate and dissuasive.
SAs can't just hand out big fines for the sake of big fines. If a fine is issued then the SA's ruling can be challenged on the basis of proportionality.