Breach: BCD Travel (396,313 accounts) — Email addresses, Employers, Job titles

On 29 May 2026, a data breach affecting BCD Travel was published on Have I Been Pwned, exposing 396,313 accounts. The compromised data includes email addresses, employer names, and job titles. This incident falls under the BREACH framework, indicating a confirmed security event with verified data exposure.

The breach primarily impacts BCD Travel, a global corporate travel management firm, and its clients across multiple sectors, including finance, technology, pharmaceuticals, and professional services. Any organization that used BCD Travel for corporate travel booking may have employee data exposed. This raises significant data protection concerns under GDPR and similar regulations, as the leaked information could facilitate targeted phishing or social engineering attacks.

Compliance teams should immediately verify whether their organization’s employees are among the affected accounts by cross-referencing email domains with the breach data. They must assess whether BCD Travel was a data processor under their GDPR Article 28 agreements and, if so, notify the relevant supervisory authority within 72 hours if a high risk to individuals’ rights is identified. Additionally, teams should instruct affected employees to reset passwords, enable multi-factor authentication, and remain vigilant against suspicious communications. A review of vendor risk management processes and contractual data protection clauses is also advisable.