It was reported yesterday that FastBooking, a Paris-based provider of hotel-booking software, is alerting client hotels to a data breach in which an attacker lifted personal information and credit card data from guests of hundreds of properties. The breach took place on June 14, says FastBooking, which states it works with 4,000 partner hotels in 100 countries.
Commenting on this, Adam Brown, manager of security solutions at Synopsys, said “The FastBooking breach appears to be in conflict with GDPR Article 32 which discusses the security of data processing.
Article 32 states that a procedure needs to be in place for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. If this was a truly niche exploit, you could also argue that FastBooking acted appropriately given the ‘state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing to ensure a level of security appropriate to the risk’—as stated in Article 32.
Then again, this breach could have involved a well-known vulnerability which could have been detected thought a vulnerability assessment. If it’s identified that known vulnerable components were involved that could have been discovered and prevented through a penetration test, for instance, FastBooking can expect to have the law read back to them.
It also appears that the data wasn’t encrypted, or if it was, the keys weren’t kept separately.
This situation could have potentially been avoided by having a deliberate and effective software security initiative driven by the firm’s leadership. However, not enough details are available as of yet to speculate on what went wrong and how it could have been handled differently.”