The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.

Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough:

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people

According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.

The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.