What Happened
In February 2026, RTL Group, a major European media company headquartered in Luxembourg, disclosed a breach affecting approximately 27,000 employees.
The compromised data includes names, emails, job details, and phone numbers. GDPR obligations apply for affected EU residents.
Timeline
- February 2026 — RTL Group discloses breach affecting approximately 27,000 employees
Impact and Risk Assessment
For Individuals
27,000 employees had their professional contact information and job details exposed, enabling highly targeted spear-phishing campaigns.
For Organisations
RTL Group faces GDPR notification obligations and potential regulatory scrutiny across multiple EU jurisdictions where it operates.
Exposed organisational structure and employee details can be leveraged for business email compromise attacks.
Regulatory Context
GDPR applies, with the Luxembourg data protection authority (CNPD) as the lead supervisory authority. Notification obligations may extend to multiple EU member states where RTL operates.
What Should You Do?
For Individuals
- If you are an RTL Group employee, be particularly vigilant about spear-phishing emails that reference your role, department, or colleagues.
For Security Professionals
- Large media companies should implement email security controls including DMARC, DKIM, and SPF to reduce the effectiveness of impersonation attacks using exposed employee data.
Learnings and Recommendations
Employee data for large media companies can be used for highly targeted spear-phishing campaigns leveraging knowledge of organisational structure and roles.