Why was Booking.com fined under the GDPR?

Booking.com was fined not for the breach itself but for delayed GDPR breach notification and failing to demonstrate proper internal escalation and risk assessment.

What is the GDPR 72-hour notification rule?

Under GDPR Article 33, a controller must notify the competent supervisory authority of a personal-data breach within 72 hours of becoming aware, unless the breach is unlikely to result in risk to individuals.

What do regulators actually expect in a breach response?

A documented risk assessment, a justified notification decision, and a clear timeline of what was known and when. Perfect information is not required; structured decision-making is.

GDPR · Breach Response

The €475,000 Lesson: What Booking.com Got Wrong After Its Breach

Updated April 2026 · ~5 min read · For CISOs, DPOs, and internal counsel

When a cyberattack happens, most companies focus on containment. But regulators focus on something else entirely: what you do next. That is exactly where Booking.com failed — and why it was fined under the GDPR.

What happened

Attackers gained access to customer data through compromised credentials. The breach itself was not the biggest issue. The real problem was delayed breach notification.

Why they were fined

Under the GDPR, when a personal-data breach occurs you must:

notify the supervisory authority within 72 hours of becoming aware,
assess the risk to individuals immediately,
document every decision along the way.

Booking.com:

took too long to report,
failed to assess impact fast enough,
could not demonstrate proper internal escalation.

The real takeaway

You are not fined for being hacked. You are fined for being unprepared, slow, and unclear.

What you should do instead

1. Pre-define your breach response

Who decides severity?
Who contacts regulators?
Who owns external communication?

2. Implement real-time detection

Alerts beat manual discovery. Assume breaches will not be obvious — adversaries optimise to avoid detection, and average dwell time still runs into weeks.

3. Run breach simulations

If your team hesitates, you will miss the 72-hour window. Tabletop exercises — ideally one per quarter — turn an ambiguous moment into a rehearsed one.

Bottom line

Cybersecurity is not just prevention. It is how fast and clearly you respond when things go wrong. A defensible response is the difference between a controlled incident and a public penalty.

Talk to us about breach readiness