BCD Travel Breach: 396K Corporate Travel Records Exposed

Overview

On May 28, 2026, the ShinyHunters extortion group claimed to have breached BCD Travel, a global corporate travel management company. After BCD declined to meet the ransom demand, the stolen data was published publicly on a dark web forum in early June. The exposed cache contains 396,313 unique email addresses, along with names, phone numbers, employers, and job titles. The data appears to come from multiple internal sources - including leads, employee records, and support ticket systems - making this a high-severity incident for both current and former business contacts of BCD Travel.

What Was Exposed

The leaked dataset includes:

• Email addresses - 396,313 unique business and personal email accounts
• Names - full names of affected individuals
• Phone numbers - direct office and mobile lines
• Employers - the company or organization associated with each individual
• Job titles - professional roles, from administrative staff to executive leadership

Unlike many breaches that dump passwords or financial data, this leak focuses on professional contact information. However, the combination of employer details and job titles makes it particularly valuable for targeted phishing and business email compromise (BEC) attacks.

Who Is Actually Affected

The breach impacts far more than BCD Travel’s internal staff. Based on the data types and source systems described, those at risk include:

• Corporate travel managers and procurement officers at client companies
• Business travelers whose bookings were processed through BCD Travel
• Hotel and airline partners listed in support ticket exchanges
• Former employees whose contact info remained in old systems

If you have ever booked a business trip through BCD Travel, been listed as a company contact for travel arrangements, or worked with BCD on vendor or partner matters, your data may be in this dump.

How the Breach Happened

ShinyHunters operates a “pay or leak” ransomware business model. In BCD’s case, the group claims to have gained access through compromised credentials - likely from a low-privileged employee account that was not protected by multi-factor authentication (MFA). Once inside, the attackers moved laterally to access multiple data silos: CRM leads, an employee directory database, and support ticket records. BCD’s decision not to pay the ransom resulted in the full dataset being posted publicly on June 2, 2026.

Industry Context

This breach follows a troubling pattern in the corporate travel sector. In the past 18 months, similar attacks have hit American Express Global Business Travel, CWT, and FCM Travel. The sector is attractive to attackers because travel management companies hold aggregated third-party contact data for hundreds of client organizations. A single breach can expose the C-suite travel patterns of Fortune 500 companies, making it a goldmine for spear-phishing and social engineering campaigns. The BCD breach is the largest corporate travel data leak publicly documented this year.

How to Check If You’re Affected

BCD Travel has not yet launched a public notification portal. However, the leaked data has been uploaded to Have I Been Pwned (HIBP). To verify if your email was exposed:

1. Go to haveibeenpwned.com
2. Enter the email address you use for BCD Travel bookings or corporate travel management
3. If your email appears in the “BCD Travel” breach entry, your contact data is publicly accessible

If you are an IT or security professional at a company that uses BCD Travel, check your entire employee domain against HIBP’s domain search feature to identify all affected accounts.

What to Do Right Now

Because this breach exposed professional contact data (not passwords), your immediate action should focus on phishing defense:

• Watch for targeted emails referencing BCD Travel, past bookings, or your travel preferences. Attackers will use your real employer name and job title to seem credible.
• Enable MFA on all business email and travel booking accounts. This is your single best defense if an attacker tries to use your exposed email for credential stuffing.
• Update your travel profiles with BCD Travel if you have an account - reset any saved payment cards or loyalty numbers as a precaution.
• Alert your IT security team if you are a corporate customer of BCD Travel. They should add BCD-related domains and email addresses to their phishing monitoring filters.

Security Insight

BCD Travel’s breach reinforces a hard lesson for B2B service providers: third-party data is not a liability you can ignore. Client contact lists, partner directories, and support ticket histories are often treated as low-sensitivity data, but they are precisely what attackers use to fuel enterprise spear-phishing campaigns. Companies that aggregate corporate contact data should segment it with the same access controls they would apply to financial data. The ShinyHunters leak also shows that extortion groups are now specifically targeting intermediaries - companies that sit between multiple enterprises - because a single breach yields a net of high-value targets.

Further Reading

• All High Breaches
• Recent Data Breaches