BCD Travel
ShinyHunters publishes 700K corporate traveler records after BCD Travel misses ransom deadline. Business contacts, employers, and travel patterns exposed.
What happened?
ShinyHunters breached BCD Travel's Salesforce environment and internal SharePoint sites in late May 2026. They set a ransom deadline of June 1. When BCD didn't pay, the data went public.
BCD Travel is one of the world's largest corporate travel management companies, handling business travel for major enterprises globally. The breach exposed over 700,000 Salesforce records containing customer information, support tickets, and internal corporate data.
What data was actually inside?
Have I Been Pwned verified 396,000 unique email addresses in the leaked dataset. The full exposure included names, email addresses, phone numbers, physical addresses, job titles, and employer names. Multiple data sets were compromised: leads, internal staff records, and support tickets.
Corporate travel data reveals more than contact information. It shows who travels where, which companies use which vendors, and the relationships between businesses and their travel management providers.
Who gets hurt and how?
Business travelers whose personal contact information is now public. Corporate travel managers whose employer relationships are exposed. Companies whose travel vendors and patterns can now be mapped by competitors or threat actors.
The combination of personal details and employer information makes this data valuable for spear-phishing. "Hi [Name], I'm following up on the BCD Travel issue your company experienced..." is now a trivially easy attack vector for 700,000 people.
What did they think they were doing right?
BCD detected suspicious activity on an internal account and initiated their security protocol. They brought in outside specialists. They followed the incident response playbook.
But ShinyHunters doesn't encrypt systems—they steal data and threaten publication. By the time BCD detected the intrusion, the exfiltration was likely complete. Detection without prevention means the damage is already done.
What did they not know about their own data?
Salesforce environments accumulate years of customer data. Leads never converted. Support tickets from 2018. Contact information that should have been purged. SharePoint sites created for projects long finished but never decommissioned.
The 700,000 records exposed weren't all active customers. They included historical data, leads, and staff records accumulated over years. Without data inventory, there's no way to know what's actually sitting in your CRM until someone else tells you.
If your business runs on databases, you probably have similar records—customer data, credentials, financial information. Do you know what's actually in yours?
What does attribution look like the morning after?
GDPR applies—BCD is Dutch, and the breach affects EU residents. The 72-hour notification window started when they confirmed personal data exposure. Client contracts with corporate customers likely include breach notification requirements.
ShinyHunters published the data after the deadline passed. The breach is now public. Notification isn't about whether to tell people—it's about damage control for data that's already circulating.
What would have changed the outcome?
Knowing what customer data actually existed in Salesforce and SharePoint—and purging what shouldn't have been there.
700,000 records is a lot of exposure. How many of those were active customers versus historical leads and stale data? A data inventory would have revealed the accumulation—enabling cleanup before attackers mapped the environment. Less data means smaller breaches.
BCD Travel found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.