Key developments
Booking.com confirms reservation-data breach
Booking.com confirmed that unauthorized third parties accessed sensitive reservation data in April 2026 and said the incident was contained. Reported exposed information included phone numbers, reservation details, hotel names, and trip dates, while financial data was not reported exposed. Affected bookings received PIN-reset notifications, which increases the risk of convincing phishing, smishing, and impersonation attempts tied to real travel plans.
Why it matters
Travel reservation data can be reused for targeted scams even when payment data is not exposed.
Sources & driving stories
MEDIUM
Medium coverageALTEXSOFT
AltexSoft coverageMilan court allows Meta Facebook class action
A Milan court approved a class action against Meta Platforms over a Facebook data-scraping incident affecting users in Italy and worldwide. The court said the scraping occurred between January 2018 and September 2019 and that Meta disclosed the incident in 2021; Reuters reported the exposure touched about 533 million Facebook users globally and roughly 35 million in Italy. Meta said it disagreed with the procedural ruling and expected the case to be dismissed.
Why it matters
The ruling keeps a major GDPR compensation case alive and could encourage similar privacy claims in Europe.
Sources & driving stories
PYMNTS.COM
PYMNTS.com coverageCalifornia opt-out audit flags big-tech failures
KQED reported that a webXray review of March traffic in California found Google, Meta, and Microsoft may have ignored Global Privacy Control signals at scale. The audit said Google failed to honor the signal 86% of the time, Meta 69% of the time, and Microsoft 50% of the time. The companies disputed the findings, while the report renewed attention on California's CCPA/CPRA enforcement regime and the upcoming Delete Act deadline for data brokers.
Why it matters
If confirmed, the findings would expose a major gap between California privacy rights and how major platforms implement them.
Sources & driving stories
KQED · Rachael Myrow
KQED coverageWorth noting
WORTH NOTING
ICE buys $12.2M migrant-tracking AI
The procurement expands passive location surveillance tied to immigrants, gangs, and related targets.
WORTH NOTING
McGraw Hill cites Salesforce misconfiguration breach
It adds another ShinyHunters-linked CRM incident and suggests misconfiguration in a SaaS environment may have exposed data.
WORTH NOTING
Comcast reaches $117.5M breach settlement
The settlement resolves a major 2023 breach and sets another large privacy payout benchmark.
Still unclear
OPEN QUESTION
Will Booking.com disclose the access path?
Whether the breach came through Booking.com, a partner, or a hotel account will determine the real exposure point.
OPEN QUESTION
Will California regulators test GPC enforcement?
The audit suggests the law may be stronger on paper than in actual browser-level compliance.