Dutch travel company refuses compensation after cyberattack exposes customer data

Dutch travel company Sunweb will not compensate customers affected by a recent data breach that exposed personal and travel information, the company said. Victims of last week’s phishing emails will not receive reimbursement for damages, and those wishing to rebook upcoming trips due to the leak will not be granted leniency.

Sunweb discovered the cyberattack last week after customers reported receiving phishing emails. Cybercriminals had broken into one of the company’s systems and used the stolen data to demand payments from customers under the threat that their trips would be canceled.

The company declined to say how many customers were affected, citing an ongoing investigation by the Autoriteit Persoonsgegevens, the Dutch Data Protection Authority. Many concerned travelers contacted Sunweb on Friday, worried that hackers who know their home addresses and travel dates could target them for burglaries while they are away.

“We are incredibly sorry, and it’s understandable that people are worried,” a Sunweb spokesperson said. “We are listening and trying to explain as clearly as possible what happened. According to our policy, customers can always rebook free of charge up to six weeks before departure. Some are now calling to ask whether that can be done within six weeks, but we decided to stick to our existing policy.”

The company added that travelers departing in the coming weeks are not yet actively rebooking their trips. Sunweb said it warned all customers with upcoming bookings “as soon as possible” after discovering the breach, urging them not to click on links in the phishing messages and to contact their banks immediately if they had done so.