Hacker News new | past | comments | ask | show | jobs | submit login
Booking.com fined €475k for reporting data breach too late (therecord.media)
261 points by DyslexicAtheist on April 6, 2021 | hide | past | favorite | 83 comments



They have a $100B enterprise value, and make ~$4B/year in GAAP income. This is not even the yearly cost of a higher level lawyer. If you make $200k/year then the fine would correspond to a $30 ticket. Lol, just lol.


This fine is just for their Dutch operations, which is far smaller than their global operation. I estimate this to be about 1% of their expenses in NL, so in your analogy, this'd be a $2k fine.

Also: the crime isn't that bad. They did reported the breach on their own accord, and acted according to the laws at hand. The report may have been two weeks too late, but it was there. Their preventative measures and reaction were deemed good enough, just not timely. A crippling fine wouldn't have been appropriate, given the verdict.

The company could have avoided the fine by doing exactly the same thing they did, just a little faster. The fine counterbalances the cost-savings they may have had by having fewer people work on this. A future manager will probably see the fine, and decide just to put a little more resources into this, so the report can be on time. When that happens, the fine has served its purpose.


Your are right, in the context lawyers/regulators/etc. are operating within.

OTOH, in a wider context, you have to concede OP's "lol" perspective is true too. The money itself has little/no possible deterrent effect.

"Just for their Dutch operations" is a lawyerly frame... it isn't a business frame. booking.com's Dutch business operations aren't really separate. Any security/transparency practices beyond "compliance" almost certainly exist across borders.

I agree though that a fine (any amount) can be enough to adjust resources/practices on a small scale. On a bigger scale, the threat of a fine (any amount) probably is not enough to deter much. IE, if changes are strategic, costly or impact revenue... a fine will always be cheaper.


I think this is the total fine for the entire EU. Usually one of the Data Protection Authorities takes charge of the investigations, and since Booking has their HQ in Amsterdam, it was the Dutch one in this case. They mention that they coordinated with other DPAs.


I guess the idea is to make it hurt, not ruin a business. How would 0.5M fine hurt a business with 4B revenue you may ask, but I think that it will hurt the people responsible for the leak since it will be known within the company that someone screwed up or someone is pure evil, two labels that you don't want to get in a workplace.

Companies spend a lot of money and energy on projecting an image, not only to the outsider but also to the insiders.

Unless they pride themselves for being evil and the cut-throat office politics, I bet this fine will make a dent in someones image and will trigger some policy change or similar.

Companies are not really monoliths, despite of their effort to be seen as such.


I don’t think the idea is to “make it hurt” so much as to make compliance more affordable than non-compliance. If the “right” response to a data breach is also the most cost effective then it’s infinitely more likely that a business will pursue the right response. Unfortunately, the right response is most often the most expensive and so is actively avoided by management because, at the moment at least, sweeping it under the rug and keeping your mouth shut is free and only a tiny bit of a gamble that someone finds out.


Exactly that. Disclosing earlier would've definitely been cheaper than $500k. And even billion dollar companies care about $500k. Companies that don't care if they spend $500k on a fine or not don't tend to exist for very long.


It looks like the idea is to be very selective about who gets fined. CPS Utrecht ("Veilig Thuis") also got a data leak. Everything got leaked: from files on children, medical files on children and adults, phone calls, emails, ... the works.

The fine? It wasn't even mentioned that a fine would be forthcoming. Until city hall took steps to replace the organisation they refused to modify their systems and stop the still-in-progress leak. It got to be a scandal.

So clearly: the idea is to fine only people they feel like fining. Anything even tangentially related to the government (this is a private for-profit organization (running quite a decent profit I might add, as well as paying management very nicely) that merely works for the government) does not get fined, even for leaking much, much more sensitive information.

Needless to say, CPS has still not changed their processes to better secure medical files. They are still being sent, without any encryption or authentication, over email. So it's not just that they weren't fined: the whole purpose of the data protection law, actually keeping the data safe, was ignored entirely even when they got caught spreading extremely sensitive information around and storing it without encryption.

https://www.rtlnieuws.nl/tech/artikel/4672826/jeugdzorg-data...


How in the actual fuck are they still operating? If the government doesn’t do anything about it I’d very quickly expect a mob with pitchforks outside their office.

> Dit is het ergste wat ons kan overkomen

Sounds like they think it’s some sort of natural disaster that happened to them. I have no words.

Thank god it was two good guys registering the domain.


On GDPR, it seems HN has two completely opposing reactions depending on the time since a fine has made headlines. If it's been a while, the prevailing sentiment seems to be "the big bad EU will financially ruin me for my side project if I don't hire a full-time data protection lawyer", and when a fine is actually issued, it's "that's not even a slap on the wrist, who's going to care, lol". It's almost as if EU data protection agencies reacted proportionately to the severity of the misdeed. This is a leak affecting 4109 customers, after all, not a full compromise of booking's systems.


It's almost as if different people have different opinions and aren't a perfectly agreeing hivemind!


1. People tend to write their opinion under threads that bother them.

2. HN is not a single instance but consits out of many individuals.

=> The "opposing reactions" are expectable.


> "the big bad EU will financially ruin me for my side project if I don't hire a full-time data protection lawyer", and when a fine is actually issued, it's "that's not even a slap on the wrist, who's going to care, lol"

The relevant question, then: what is the history of GDPR enforcement against small companies? Personally I have no idea, as typically only the big cases make the front-page.


https://www.enforcementtracker.com/

For example, a police officer was fined 48 euro for accessing "personal data in a police database for private research activities", a housing association was fined 500 euro for "publishing photos showing members of the association without their consent" and Borjamotor, S.A. (which appears to be a Spanish Opel dealership) was fined 4000 euro for "sending commercial advertisements to the data subject via email and SMS, even though the data subject had previously revoked his/her consent to receive advertisements and submitted a request to delete his/her data".


Seems like enforcement appears to be fair and the million-dollar fines that were supposed to bankrupt individuals & small businesses didn't actually happen.


The (Google translated) details[1] of the police officer situation are interesting. He searched his fiancé in the police database and it seems like his employer is the one who reported it to the DPA. I’m actually a bit surprised a police force would report “one of their own” for such an infraction.

[1]https://n7uofv7rfwwdpbwmcuqmohfsnu-adwhj77lcyoafdy-www-aki-e...


Estonia has a pretty good legal/law enforcement system.


Is the fine a "EU fine" or a "Netherlands fine"? I'd expect the fine to be proportional to the territory issuing it, not to the total global value of the company. You would not expect this fine to be e.g. 10% of the company global valuation, and then when other 9 countries issue a similar fine and destroy the company.

Netherlands being 1% of the global GDP, this would be proportional to a $50B "global fine" or 50% of the company valuation. So in that sense, it even seems too big.

EU being 20% of the global GDP, this would be proportional to a $2.5B "global fine" or 2.5%, which IMHO seems small-to-fair for a data leak of this type.


Your numbers are off by 3 orders of magnitude, the fine is just under half a million, not half a billion.


The problem being, if you fine them 500M for a crime they reported, the next time they won’t report anything.


GDPR maximum fines are dictated by global revenue.

>Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:


Well, at least it is progress from no fines at all or 1000$ fines.

Still, should be 10 or 100 times more.


It's a number that will cause them to sit up and take notice, without starting a multi-year legal war. It signals to booking.com and other companies that the regulator is not asleep. The implicit threat is: fix your behaviour, everyone, or worse fines will follow.

To be honest, I can live with that.


I also would be fine as long as "or worse fines will follow" is true.

I would consider as desirable that egregious, systematic and catastrophic security failures would be resulting in fines and penalties large enough to bankrupt companies[0]. But starting from that is rather not a good idea, I agree that some warning is a good idea.

[0] for example 2000$ for every single leaked address that they deliberately collected (if company is scared: then they should not ask user for address data! Companies very rarely actually need it, and they still ask.).


For catastrophic failures the fines certainly become very large very quickly. And follow up fines if behaviour isn't changed do go up as well. So far, it's usually the former as most companies adjust by their first fine.


The size of the fine will probably increase the value of the company and sector as it reduces model assumption for future regulatory penalties now that a precedent has been set.


> They have a $100B enterprise value

That number is meaningless for how much a company is hurt by a fine. A market valuation is just based on the current stock price. It doesn’t mean that the company has access to that much cash or assets.


From an investor's perspective it's not meaningless. This is a one-off expense which can be safely ignored. This won't even impact the valuation of my investment, in fact the size of the fine will probably increase the value of the company as it will enable me to reduce my assumption for future regulatory penalties now that a precedent has been set.


Except that repeated violations of GDPR are a cause to increase the fine as per the text.

>When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

>(e) any relevant previous infringements by the controller or processor;


Across the wider sector, the fine is a good data point for investors. Even if the fine was doubled or tripled next time, it will be a outcome that won't really change behaviors.


They could issue new stock if they needed.


Keep in mind that if they do it again the fine will be much larger. This isn't the USA, and the Dutch DPA is not the FTC. If Booking.com does this again the next fine will be much larger.


They used to make ~$4B/yr.


> it is important to note that hotels inadvertently provided their Booking.com account login details to online scammers, there was no compromise of the code or databases that power the Booking.com platform.

Interesting precedent. The platform is responsible not just for their own security practices, but also their users' security practices.


> Interesting precedent. The platform is responsible not just for their own security practices, but also their users' security practices.

Well, not really. Booking didn't get fined over security practices. They got fined over not notifying of a breach of their users data within 72 hours.

So you're not really "responsible for users' security practices", you're "responsible for notifying users/authorities in time when you notice leaks/breaches". Seems rather different to me.


This case is rather complex, because the customers have a contractual relationship both with booking.com and directly with the hotel. This makes it difficult to tell whose responsibility the breach notification is. I would have said that it's the responsibility of the individual hotels here.


Would Facebook have to inform me within 72 hours if someone got access to another account that can read private info of my account? I don't think that Facebook (or similar networks) disclose such breaches. At least I've never seen information on that.


Notifying users about a breach is a security practice, so they are being fined specifically because of their own security practices.


On the other hand, if we consider the hotels as just a "user", why would they have access to full CC details, including security code.

As someone booking a hotel on the site, I would expect booking.com to take responsibility for keeping my payment details secure (or, if they want to operate like a marketplace, make it clear that they're not taking responsibility, but in that case it looses a lot of value toe as an end user)


Traditionally Booking.com operated mostly as a marketplace ("agency" model, as opposed to "merchant" model like Expedia [1]). The contract and the payments are between the guest and the hotel, not between the guest and Booking. (Booking bills the hotel afterwards for the commission, they don't bill the guest for the stay.)

Of course they don't always make this very clear to the consumer, and it seems to have gotten more muddled in the last few years. I think they're trying to nudge people more towards their own payment platform nowadays.

[1] https://www.businessinsider.in/this-is-why-booking-coms-agen...


> why would they have access to full CC details, including security code.

yeah I stopped using booking because of this. an hotel decided that the card used for reservation was the one to charge for my stay and charged it the day of arrival and I only discovered later when trying to reserve a rental car and I hit my card limit and couldn't.

that pissed me off in so many ways, first because the booking wasn't a upfront pay but hotel did it anyway, second because booking disclosed my cc details to a third party instead of being a neutral escrow, and third of course because it bite me in the ass at the worst possible moment, as my car broke down and I needed to cover a rental and repairs while sorting out the rest of the travel.


Sounds like you have a habit of not reading terms. For as much as I loath Booking, pay-on-arrival is clearly stated, and there is no escrow because you’re paying the hotel directly.


terms say 'pay at the property', not on arrival, and it say the hotel 'reserves the right to temporarily hold an amount prior to arrival', not that it will charge the stay on your provided card.


Straight from the checkout step where you enter a credit card:

> The property will charge you: €xxx

> The date you'll be charged—and what happens if you cancel—depends on the booking conditions.

And then the booking conditions (set by the property):

> You'll be charged a prepayment of the total price at any time.


your terms are wildly different from mine https://i.imgur.com/4qKVrBl.png https://i.imgur.com/Ty7plol.png so maybe tone down the snarkiness and accept that services customs aren't as uniform as your anecdote made you assume them to be


The parts you highlighted refer to the online booking, and are correct - no charge to your card happened at the time of booking, you were charged by the hotel on arrival - as is custom on every hotel check in, online booking or not.

On top of that, anyone taking a large payment via CC will usually require payment on the same card used for the authorization hold. Accepting another card is risky as funds can be easily made unavailable before the transaction settles.

You just had wrong expectations - on cc charges, that booking would be a “neutral escrow” or be able/willing to help. I’ve been in a similar situation where they held the entire reservation amount, in the thousands, while having already taken payment, and it’s 100% up to the hotel. They just don’t give a shit.

This is yet another reason why CCs are a terrible idea. Having the funds in a checking account and not being able to use them because of credit limit shenanigans is infuriating.


> you were charged by the hotel on arrival - as is custom on every hotel check in, online booking or not

again, you're over generalizing your personal experience. booking on arrival happened to me exactly once. but you're not listening and keep repeating points that don't really apply to the situation at hand.


Sadly it's not how these platform operates, they provide the card for security deposit usually.

That's why I've used Agoda every time I could (works well in Asia, spotty elsewhere), because they allow paypal payment. Hotel will still want your card for the deposit but you can just provide it on the first day.

This way you don't have to fight with a place that did overbooking or similar and still has your card on file.


While the individuals themselves may be thought of as users, they are employees of 3rd party partners who act as data handlers and/or data processors. As such it is entirely appropriate that the platform is responsible for this compromise (although depending on the terms of the contract, they could seek restitution from the 3rd parties.

If you as a consumer give your booking.com login information to someone and your information is subsequently stolen, Booking.com would not be responsible for your security practices.


>but also their users' security practices.

Of course, as the leak would be traced to them as well. When it comes to GDPR you'd like to manage the expose and the liability associated with having the data. Normally it should that even the admin operators are not to be trusted with full account/payment/etc. details enmasse and very special care is taken to exports/reports.


Still waiting for Expedia to own up to their breach, since way before 2019. (source: ex-employee)


The SEC has a whistleblower program. A material breach of a public US company is definitely of interest to them.


I am not sure I am in a position to report it. I dont have too much detail other than it was Ubquiti levels of "ownage" Surely the SEC can see (or be made aware of) comments like this and start their own investigations, no?


Full credit card details were leaked; The 72 hour window is reasonable. I’d go as far as forcing them to contact the banks of those cards as well.


As far as I know there is no legal basis for them to contact the banks, at least under GDPR. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is there to enforce GDPR and will not add additional requirements.


Right, my suggestion is that it should. Yahoo’s settlement included identity protection or something along those lines. Disclosure to the customer might not always be enough.


Notifying banks will likely be required by their payment processor, not by the GDPR, those are two separate processes.


This is an effective non-fee for an entity their size. I'd assume we see the associated negative pattern - there's little real legislation impact, meaning there's little value in reporting, when examined economically. Were the fine larger, or more severe the reverse message would be sent.

From a certain (not my) point of view poor compliance was just incentivized.


I disagree. Even in a company the size of Booking, top management cannot think “it’s only half a million”.

I expect some manager will get a strongly-worded message about their department costing the company half a million because they waited too long before reporting the breach. That department, likely, will also see bad evaluations.

I also expect Booking will use this case as an example to all other departments.

And that’s ignoring the fact that, if Booking doesn’t change, and something similar were to happen again, the fine likely would be higher.


One can easily think it's only half a million. That number while large for many organizations, isn't for others. Simply put, it's cheaper to pay this fine than build out the (likely) necessary compliance team. Were the fine commensurate with income I think it would go further.


Half a million here, half a million there and before you know we’re talking real money.

Also, if this article is correct, they have everything in place to handle this kind of breach. In the handling, the only thing that went wrong was that they informed the authority too late. It took them 3 weeks, while it has to happen within 3 days. Booking states they contacted affected customers before that.


I think it depends.

If the behavior they were fined for was strategically useful to the company, then they will definitely think “it’s only half a million” and keep doing it unless they think the fine will be much larger next time.

If it was just a fuck-up, then what you're describing will happen.


Well, it's better then nothing I guess?

This is a fine for failing to report a breach after 22 days (not for the breach itself), of around 4000 users.

Though I agree it could be higher for these organizations, it's also not a small fine just to fail to report.


The fine is about late report, not about lacking security practices/mechanism. It's the first fine - more like a warning - hire couple of people to deal with this as the next fine would be order(s) of magnitude larger.


According to Regulation 679/2016/EU, aka the GDPR, fines could be much higher. Up to 4% of the total worldwide revenues (revenues, not profits).

Moreover, repeated violations is expressly a parameter for higher fines. So non compliance as a strategy is not really viable.


Well worth looking at Troy Hunt's views on this (from 2017)

https://www.troyhunt.com/data-breach-disclosure-101-how-to-s...


Matt Taibbi said something during the 2008 financial crisis that has always stuck with me, paraphrasing: “Look at the figure a corporation pays in a fine to a regulator, multiply it by 10, and you’ll have roughy the amount they profited from their misdeed.”


When are countries & users going to fine FB for leaking data?

It's such a boring dystopia that the only response they have is "it's from 2019", like WTH?


As soon as the respective agencies analysed it and get to it. This doesn't happen over night, but is a more complex process which will quite certainly happen.


It may be a boring dystopia, but, you can't be fined for the same crime over and over again, can you? https://www.dw.com/en/facebook-data-on-millions-of-user-acco...


GDPR violations aren't a crime. You can be fined multiple times for the same issue if you, for example, are being a complete ass towards the DPA or you refuse to fix underlying issues.


FB is being blocked by the Irish DPA, since EU FB is HQ'd there. Sadly this one loophole made it into the GDPR, so the other DPA's can only forward to the Irish agency for FB issues.


They make that in probably the time I took to write this comment. Source: used to work there.


Does this breach only affect users in the EU, or also in the US?


Why do companies even store user data?

Any purchase I make, the shop needs my address and my payment info. It's always the same. Every browser can autofill it, if they bothered using the correct forms. Once the transaction is done, the invoice mailed and the product shipped - there is 0 need for this data to still be stored in their database.

-> Address and payment info - browser auto fill

-> purchase history - invoice via mail

I used to be heavily biased to buy from Amazon, since it is basically one click. But lately, I'm more and more buying from smaller online shops which provide checkout without user account.

I'm sure there is many things where you need to store user data, but also, there is definitely more things were user data is stored although it is not needed.

And ultimately, that is the spirit of GDPR - ask yourself if you really need to store that data.


BCOM are not processing the payment here. They provide a "Hotel Login" which then let's the hotels view (upto N times) the raw card information of the guest for use internally on their own payment processes. There's various approaches that they make available, this is one of a few. More recently Booking.com started to move away from providing the raw card information and instead providing a virtual card which "Activiation" date only becomes enabled once the cancellation policy for the guest booking kicks in (allowing the hotel to charge before arrival). There's also an API approach, but the leading way to get access to the card/payment information __because__ BCOM are not merchants here is to provide this to the merchants/hotels through a BCOM login page. Reading between the lines, this is what I think was exposed.


I'd expect that the name and address will still be stored in their payment processor.

Then the invoice itself (containing your name/address/payment method) will need to be stored by the company in some form for accounting regulations.


> Once the transaction is done, the invoice mailed and the product shipped - there is 0 need for this data to still be stored in their database.

This data can often still be necessary for legal and/or tax purposes.


There's nothing wrong with storing customer purchase data as long as this is processed and stored in a legally compliant manner. This data is crucial for other things such as returns and refunds.


Companies must archive invoices for 10 years. But of course that doesn't necessarily require keeping an account for the customer.


Wasn't the GDPR supposed to award fines in the range of millions?


Proportionality is a big concept in EU law, and it's explciitly written in to the GDPR.

Article 83 ("General conditions for imposing administrative fines") states that:

> Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article [...] shall in each individual case be effective, proportionate and dissuasive.

SAs can't just hand out big fines for the sake of big fines. If a fine is issued then the SA's ruling can be challenged on the basis of proportionality.


It can but it doesn't require the fines to be in the millions. AFAIK there are 21 GDPR fines that are in the millions of euro.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: