Because Booking.com is a Dutch company, and the EU has GDPR, the incident cannot legally repeat itself. This was 2016 incident and GDPR become effective 2018.
GDPR isn't a be-all and end-all, Dutch laws already incorporated a lot of aspects of it such as having to notify their customers prior to GDPR becoming effective.
Of course it can repeat itself. Dutch laws already mandated disclosure of a breach like this before the GDPR. The company simply didn’t give a fuck and found a legal firm that gave it license not to.
As the article noted the company operates on a “if we don’t see it and it doesn’t hurt us we don’t care” principle. Even with the GDPR, the company can still chose to not give a fuck. It just becomes a more risky gamble assuming anyone ever finds out.
reply