Data breaches and data protection has become the major concerns for organizations these days. Safeguarding sensitive information has become hard mountain to climb in today’s society. Even after inventing and establishing modern safety precautions, the hackers are finding minute vulnerabilities in them to exploit and sneak into the network and systems of the company. Its high time we address this issue as threat actors are becoming technically and skilfully stronger these days.
During the first week of April 2021, the Dutch Data Protection Authority (DPA) has urged a fine of 475,000 Euros against a famous online booking platform “Booking.com” as they failed to report the data breach to the DPA. As per the rule, if any organization faces data breach, they must immediately report to the DPA and provide the details about the leaked data. But unfortunately “Booking.com” took too long to do that. So they were fined heavily.
Booking.com is a private organization founded in 1996 in Amsterdam. Their main motive is to provide tourism guidelines, book hotels and other necessary facilities during long trip. Basically they are the company that promotes tourism and make money out of it. Starting from a small joint, today they have ranked to the most digital travel companies in the world. They are available 24×7 and can access in 43 languages.
The scam was planned in a wide way. The group attacked around 40 hotels in UAE using telephonic scam. The incident occurred in December 2018. Through this scam, they compelled the hotel staffs to give out their login credentials for the accounts in Booking.com. Through this the hackers successfully gained the information of 4,110 people who had their hotel rooms booked in UAE through Booking.com. The gained information included names, addresses, phone numbers and their booking data’s.
Roughly, the criminals took off the financial details of 284 people. Even if most of the information cannot be used directly by the hackers, they used them to conduct phishing attacks against other users. By this method they successfully stole money from people.
When they get access to the information of the staffs, they impersonate themselves as employees of Booking.com and approach the customers asking for down payments for the stays. Huge amount of money was grabbed in this way.
It took 24 days for the company to report the breach. The data breach occurred on January 13, 2019 but they reported it on 7th February. As per the rule data breach should be reported with 72 hours. The company even failed to address the customers after the breach. They were informed about this on February 4 and the company did not take any preventive steps to stop the breach.
The officials disclaimed this as a serious case of violation. They also told that companies should take precautionary steps to protect the customer information’s. For that, spontaneous response and quick action team should be established.
Once the DPA receives a complaint, they will investigate them and warn the affected users.
The security researchers commented that an established company like Booking.com should have taken greater care while dealing with personal data of millions of people. Customers are providing their data with the belief that they are safe in their hands. The company should ensure strong security protocols to prevent data breaches.
Booking.com has no other option than paying the fine.
Data breach
Data breach is nothing but revealing confidential, sensitive or safeguarded information to unauthorized sources. The hackers get the unapproved access of sensitive files during the data breach.
Both individuals and organizations are likely to get effected by data breach. Without proper protection, they can be vulnerable.
In most of the cases, data breaches occur due to technological and user behaviour weakness.
Ways through which data breach can happen:
- Malicious insider
- Accidental insider
- Lost or stolen devices
- Outside criminals
Tips to prevent data breach
- Patch the open vulnerabilities and update the software.
- Ensure strong encryption for sensitive data.
- Upgrade devices.
- Use strong anti-virus software or Business Grade VPN service.
- Enable multi-factor authentication.
- Educate the employees about the prevailing threats.