BCD Travel, a corporate travel management company, had data on approximately 396,000 individuals exposed after ShinyHunters claimed the company as a victim of an extortion campaign and published the data publicly in early June 2026.
What happened
According to Have I Been Pwned, in May 2026 the ShinyHunters group claimed BCD Travel as a target in a "pay or leak" extortion campaign. When the company apparently did not comply, the stolen data was published publicly in early June 2026. The breach was reported by ICT Magazine NL.
What was exposed
The published data contained approximately 396,000 unique email addresses. According to HIBP, other exposed information included names, physical addresses, phone numbers, job titles, employer names, and support ticket contents. The data spanned multiple datasets covering leads, internal staff records, and customer support interactions.
Who is affected
Around 396,000 individuals are affected, including BCD Travel customers, business leads, and internal staff members whose records appeared across the various leaked datasets.
What to do now
If you have ever interacted with BCD Travel, monitor your email for phishing attempts, as your name, employer, and contact details may be in the hands of threat actors. Be cautious of targeted messages that reference your job title or employer. Consider updating passwords on any accounts that share credentials with your BCD Travel account, and stay alert for unsolicited phone calls using your personal details.