New Booking.com and Basic‑Fit breaches

Booking.com and Basic-Fit are dealing with separate breaches that exposed customer data in Europe within days of each other. (bleepingcomputer.com) Booking.com told customers that attackers accessed reservation-related data, including names, email addresses, phone numbers, addresses and stay details, and reset reservation PIN codes after the intrusion. (skift.com) Basic-Fit said on April 13 that unauthorized access hit a system used to record member visits, affecting about 200,000 members in the Netherlands and roughly 1 million across several countries, according to a company spokesperson cited by Reuters. (finance.yahoo.com) The data Basic-Fit said was exposed included names, birth dates, contact details and bank account information. The company said no passwords were accessed and that it does not store members’ identity documents. (finance.yahoo.com) These incidents land as European regulators keep pressing companies to report breaches quickly and warn users when stolen data could be used for fraud. The European Data Protection Board’s breach-notification guidance remains the baseline for how companies are expected to respond under the General Data Protection Regulation. (edpb.europa.eu) In the Netherlands, the data protection authority says leaked purchase or reservation records can include names, addresses, email addresses and other details tied to a transaction, and says exposed bank data can raise the risk of fraud. (autoriteitpersoonsgegevens.nl) Booking.com has been under Dutch regulatory scrutiny before. The Dutch authority said in April 2024 that it had finished a year of intensified monitoring after fining Booking.com €475,000 in 2021 for reporting an earlier breach too late. (autoriteitpersoonsgegevens.nl) That regulator also said many of the fraud cases it reviewed involved criminals taking over accommodation accounts and sending fake payment messages through Booking.com’s messaging system, making the messages appear authentic to guests. (autoriteitpersoonsgegevens.nl) Basic-Fit is not a niche target. The company said in its January 26 trading update that it ended 2025 with 4.82 million memberships, which means the reported breach touched a meaningful share of its active customer base. (corporate.basic-fit.com) For customers, the immediate problem is not only what was taken, but what can be done with it next: fake hotel-payment requests, phishing emails, and bank-related scams built from real booking or membership details. Both cases now move into the familiar next phase of notices, regulator review and customer vigilance. (autoriteitpersoonsgegevens.nl)