Cyber Incident Victim: alltours.nl

On February 1, 2025, alltours disclosed a cyberattack targeting its Dutch website, alltours.nl, through which an unauthorized actor gained access to customer booking data. The breach specifically affected individuals who had booked trips online via any of the company’s websites. alltours’ IT department identified the intrusion and promptly closed the security vulnerability used by the hacker to prevent further unauthorized access. While the exact timeframe of the breach was not specified, the company confirmed it had proactively notified all potentially impacted customers as a precautionary measure. No evidence suggested that compromised personal data had been misused or disseminated following the incident. The attack exclusively targeted booking information, though the precise volume of affected records or types of data exposed were not detailed in the public statement.

alltours Managing Director Jan Mayer publicly acknowledged the incident, emphasizing the company’s immediate response and collaboration with law enforcement’s cybercrime division and external cybersecurity experts to investigate the breach. The company filed a criminal complaint and reported the incident to the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information in compliance with GDPR Article 33 obligations. Mayer expressed regret for inconveniences caused to customers but reaffirmed alltours’ operational continuity, noting its status as one of Germany’s top three tour operators with 2.3 million guests in the 2023/24 business year. The disclosure highlighted the breach’s containment to the alltours.nl web infrastructure, with no reported disruptions to other group entities, including travel agencies, hotels, or subsidiary brands like byebye and Viajes allsun.