Airbnb at risk of “massive” fine for data protection breach

Europe: Airbnb is facing a potentially “massive” fine under GDPR [General Data Protection Regulation] legislation after notifying the Irish Data Protection Commission of a data breach that allowed some of its users in Europe and around the world to view other hosts’ private inboxes last week.

The home-sharing platform informed the data protection tsar in Ireland, which is responsible for the enforcement of GDPR legislation across all of Europe. Incidentally, Airbnb’s European data is hosted by its Dublin branch.

It comes as the company’s users reported a ‘glitch’ in Airbnb group discussions online last Thursday, while screenshots of the errors were shared online on social networks such as Reddit, Twitter and private group chats.

Customer services on the 24-7 support line recommended users to clear browser cookies or to use a different internet browser if and when hosts could see others reporting the same issue.

At the time, Mark Simpson, founder of direct bookings resource Boostly and hospitality business expert, said: “It is shocking to see accommodation hosts’ data revealed. Not only that but I could see other hosts’ sensitive information including passwords, phone numbers and key access codes for their units.

“A global company should take better care of their paying hosts and guests,” he added.

In a statement, Airbnb said that “technical issues resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts” and that it had “fixed the issue quickly”.

According to Airbnb, no personal information is believed to have been misused and payment information was not accessible at any point during the technical issue period, between 9:30 am US Pacific Time and 12:30 pm US Pacific Time.

It added that the issue was not the result of a malicious attack on Airbnb infrastructure and only existed on the desktop and mobile web platforms, rather than the mobile app.

Airbnb hosts have voiced concerns that their personal data, including passcodes or payment information, may have been compromised and open to hackers.

ProPrivacy digital privacy expert Ray Walsh told The Telegraph that the incident could leave Airbnb liable to “massive fines” according to the latest GDPR EU legislation, whereby firms can be fined up to four per cent of their annual global turnover for the most significant breaches.

He said: “It will now be necessary to launch a full investigation into the leak to ascertain how and why it occurred, and to figure out what culpability Airbnb should face for having caused such and dangerous data leak.”

A data leak would potentially infringe on the data privacy rights of Airbnb hosts as they did not know where their data was being stored or how it was being used.

While Articles six and seven deal with the lawful bases for processing personal data, sharing information across different countries also triggers extra responsibilities in chapter five of the GDPR legislation. Penalties for a GDPR data breach could reportedly reach up to £17 million.

Meanwhile, Airbnb was at the centre of another data breach debate in 2019, when the platform was accused of ignoring requests to access and erase accommodation host data within 30 days under Article 15.17 of GDPR.