Breach: CTT (468,124 accounts) — Email addresses, Names, Phone numbers

On 26 April 2026, a data breach affecting CTT, the Portuguese postal and logistics operator, was published on Have I Been Pwned. The incident exposed 468,124 accounts, compromising email addresses, names, and phone numbers. This breach is now publicly documented, meaning affected individuals and regulators are likely aware, and it may trigger notification obligations under GDPR.

The primary affected organization is CTT, which operates in the postal, logistics, and financial services sectors within Portugal. However, any EU entity that processes personal data of Portuguese residents should assess whether their own systems or third-party vendors interact with CTT’s compromised data. The breach also serves as a broader reminder for logistics and financial firms about supply chain data risks.

Compliance teams should immediately verify whether their organization has any data-sharing agreements or integrations with CTT. If so, conduct a risk assessment to determine if the breach impacts your data subjects, and prepare to notify relevant data protection authorities and affected individuals within 72 hours if required. Additionally, review your incident response plan, enforce password resets for any accounts that reused credentials, and monitor for phishing attempts leveraging the exposed contact details.