Delete
Hotel in Spain slapped with fine for failing to protect confidentiality of customers with booking reservations
Data protection

Hotel in Spain slapped with fine for failing to protect confidentiality of customers with booking reservations

The Spanish data protection agency (AEPD) acted after cybercriminals obtained client details and sent a fraudulent link to guests as a step prior to confirming the accommodation

Susana Zamora

Madrid

Friday, 5 July 2024, 17:39

Opciones para compartir

After making a reservation for a stay at a hotel in Spain through booking.com, a customer received a message via WhatsApp in which a person - presumably the manager of the establishment - addressed her by her first and last name and asked her to confirm the booking. "Hello, my name is XXX. You booked your accommodation on booking.com. I am the manager and we are looking forward to meeting you, but I have to finalise the reservation. Please let me know if it is correct so I can confirm it," read the first message.

After doing so, the customer received another message: "OK. Please follow this web link to confirm your booking. Your payment will be processed according to the terms of your agreement with booking.com. You have a free cancellation option, so don't worry about cancellation. Thank you for your understanding."

The customer was next provided with a link to enter her credit card details, but she became suspicious and decided to contact the hotel to ask if it was fraudulent, and to her surprise, she was told that they were already aware of other similar cases.

Now, the Spanish data protection agency (AEPD) has fined the hotel company 7,000 euros, after the client complained it had not taken the appropriate security measures to minimise the risk of fraud and for not duly guaranteeing the confidentiality and integrity of personal data as a result of the security breach that occurred.

Origin of breach unknown

Although the origin of the breach is still unknown, the company has acknowledged that the source of the message to the customer may have been caused by negligence on the part of the hotel in falling for the phishing scam.

The chronology of the events, according to the AEPD, states that the hotel "on 30 January 2023, asked its IT department to modify the passwords of the emails. On 3 February 2023, the attempted fraud took place, which is the subject of the complaint filed". For her part, the client contacted the accommodation on 3 February 2023. This was when she phoned and sent an email alerting them of the incident. When she arrived at the accommodation a few days later, the person who attended her at reception told her that "they knew that the leak had occurred and were investigating the source".

The hotel stated that, on 30 January 2023, its IT department did indeed change the passwords of the email addresses and, after having changed the password to access the reception email, the incident was resolved. As to the reason for this change, they stated: "They accessed the company's email and proceeded to change the password", without providing further details.

Therefore, in accordance with the above, the AEPD considers that the hotel would be liable for the violation of articles 5.1 c, 32.1 and 33.1 of the General Data Protection Regulation. "The obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, which implies that if personal data is leaked to a third party, there is liability regardless of the measures adopted and the activity carried out by the data controller."

Fine

The AEPD proposed a fine of 3,000 euros for infringement of article 5.1.f of the GDPR (principle of confidentiality), by failing to ensure that only authorised persons could access them. Another 2,000 euro fine was added for breach of Article 32.1 of the GDPR, considering that the company had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing; along with a further 2,000 for breach of Article 33.1 of the GDPR, which requires notification of security breaches to the supervisory authority and to those affected.

However, having accepted fault and agreeing to make the payment, the company has benefited from two reductions and was instructed to pay just 4,200 euros in the end.

Reporta un error en esta noticia

* Campos obligatorios