Diario Sur - Diario de Málaga. Noticias de Malaga

Sections

Services

Highlight

Delete
Hotel in Spain slapped with fine for failing to protect confidentiality of customers with booking reservations
Data protection

Hotel in Spain slapped with fine for failing to protect confidentiality of customers with booking reservations

The Spanish data protection agency (AEPD) acted after cybercriminals obtained client details and sent a fraudulent link to guests as a step prior to confirming the accommodation

Susana Zamora

Susana Zamora

Madrid

Friday, 5 July 2024, 17:39

After making a reservation for a stay at a hotel in Spain through booking.com, a customer received a message via WhatsApp in which a person - presumably the manager of the establishment - addressed her by her first and last name and asked her to confirm the booking. "Hello, my name is XXX. You booked your accommodation on booking.com. I am the manager and we are looking forward to meeting you, but I have to finalise the reservation. Please let me know if it is correct so I can confirm it," read the first message.

After doing so, the customer received another message: "OK. Please follow this web link to confirm your booking. Your payment will be processed according to the terms of your agreement with booking.com. You have a free cancellation option, so don't worry about cancellation. Thank you for your understanding."

The customer was next provided with a link to enter her credit card details, but she became suspicious and decided to contact the hotel to ask if it was fraudulent, and to her surprise, she was told that they were already aware of other similar cases.

Now, the Spanish data protection agency (AEPD) has fined the hotel company 7,000 euros, after the client complained it had not taken the appropriate security measures to minimise the risk of fraud and for not duly guaranteeing the confidentiality and integrity of personal data as a result of the security breach that occurred.

Origin of breach unknown

Although the origin of the breach is still unknown, the company has acknowledged that the source of the message to the customer may have been caused by negligence on the part of the hotel in falling for the phishing scam.

The chronology of the events, according to the AEPD, states that the hotel "on 30 January 2023, asked its IT department to modify the passwords of the emails. On 3 February 2023, the attempted fraud took place, which is the subject of the complaint filed". For her part, the client contacted the accommodation on 3 February 2023. This was when she phoned and sent an email alerting them of the incident. When she arrived at the accommodation a few days later, the person who attended her at reception told her that "they knew that the leak had occurred and were investigating the source".

The hotel stated that, on 30 January 2023, its IT department did indeed change the passwords of the email addresses and, after having changed the password to access the reception email, the incident was resolved. As to the reason for this change, they stated: "They accessed the company's email and proceeded to change the password", without providing further details.

Therefore, in accordance with the above, the AEPD considers that the hotel would be liable for the violation of articles 5.1 c, 32.1 and 33.1 of the General Data Protection Regulation. "The obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, which implies that if personal data is leaked to a third party, there is liability regardless of the measures adopted and the activity carried out by the data controller."

Fine

The AEPD proposed a fine of 3,000 euros for infringement of article 5.1.f of the GDPR (principle of confidentiality), by failing to ensure that only authorised persons could access them. Another 2,000 euro fine was added for breach of Article 32.1 of the GDPR, considering that the company had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing; along with a further 2,000 for breach of Article 33.1 of the GDPR, which requires notification of security breaches to the supervisory authority and to those affected.

However, having accepted fault and agreeing to make the payment, the company has benefited from two reductions and was instructed to pay just 4,200 euros in the end.

Publicidad

Top 50
  1. 1 Costa del Sol town will be 'one of the most spectacular areas in southern Europe', according to mayor
  2. 2 Junta gives green light to Costa del Sol road widening project
  3. 3 Violent death in Malaga village: 'my brother died to save my life'
  4. 4 65-year-old suffers heart attack while playing walking football on Costa del Sol
  5. 5 Spain's Carlos Alcaraz out of Australian Open after being outclassed by veteran Novak Djokovic
  6. 6 Communities of owners and tourist rentals in Spain
  7. 7 Demolition complete of building on land earmarked for new cultural centre in Benalmádena
  8. 8 Benalmáderna to install sun shades in open spaces to protect school pupils from 'intense summer heat'
  9. 9 Police appeal for public's help to find missing 13-year-old Gibraltar girl
  10. 10 Water supply in Malaga town to be cut from Monday night to 'improve municipal network'

Publicidad

Publicidad

Publicidad

Esta funcionalidad es exclusiva para suscriptores.

Comentar es una ventaja exclusiva para registrados

¿Ya eres registrado?

Inicia sesión
Espacios grises

Reporta un error en esta noticia

* Campos obligatorios

Política de privacidad

surinenglish Hotel in Spain slapped with fine for failing to protect confidentiality of customers with booking reservations