When a cyberattack happens, most companies focus on containment. But regulators focus on something else entirely: what you do next. That is exactly where Booking.com failed — and why it was fined under the GDPR.

What happened

Attackers gained access to customer data through compromised credentials. The breach itself was not the biggest issue. The real problem was delayed breach notification.

Why they were fined

Under the GDPR, when a personal-data breach occurs you must:

  • notify the supervisory authority within 72 hours of becoming aware,
  • assess the risk to individuals immediately,
  • document every decision along the way.

Booking.com:

  • took too long to report,
  • failed to assess impact fast enough,
  • could not demonstrate proper internal escalation.

The real takeaway

You are not fined for being hacked. You are fined for being unprepared, slow, and unclear.

What you should do instead

1. Pre-define your breach response

  • Who decides severity?
  • Who contacts regulators?
  • Who owns external communication?

2. Implement real-time detection

Alerts beat manual discovery. Assume breaches will not be obvious — adversaries optimise to avoid detection, and average dwell time still runs into weeks.

3. Run breach simulations

If your team hesitates, you will miss the 72-hour window. Tabletop exercises — ideally one per quarter — turn an ambiguous moment into a rehearsed one.

Bottom line

Cybersecurity is not just prevention. It is how fast and clearly you respond when things go wrong. A defensible response is the difference between a controlled incident and a public penalty.

Talk to us about breach readiness