Two Amsterdam-headquartered companies, one very bad Sunday. Booking.com — the travel giant owned by US-listed BKNG—confirmed it detected “suspicious activity” affecting customer reservation data. Basic−Fit (BFIT on Euronext Amsterdam) confirmed hackers accessed the data of roughly 1 million gym members, with around 200,000 in the Netherlands having their bank account numbers, names, dates of birth and contact information exposed.
Both companies say the situation is now “under control.” But for investors, that statement is where the story starts, not where it ends.
What Actually Got Stolen
At Booking.com, hackers accessed booking details, names, home addresses, email addresses and phone numbers. Crucially — and this matters for how serious regulators will treat it — no payment or credit card information appears to have been taken, and Booking.com has reset PIN numbers on all affected reservations. The company has not said how many customers were affected or when the breach occurred, which is already a problem. Under GDPR, companies are legally required to notify the Dutch Data Protection Authority within 72 hours of discovering a breach.
This isn’t Booking.com’s first rodeo with regulators. In 2018 it reported a similar breach to the Dutch DPA 22 days late and was fined €475,000 for missing that 72-hour window. The 2018 fine was small because the scale was small — 4,000 affected customers. The current breach is clearly bigger, and regulators will be watching the timeline very carefully.
At Basic-Fit, the damage is more specific and arguably more serious from a fraud perspective. Bank account numbers — known as IBAN numbers — were among the data exposed for the Dutch members. Unlike a home address or phone number, your IBAN can be used to initiate direct debit payments. Basic-Fit says the breach was detected and stopped within minutes by its own monitoring tools, and the Dutch Data Protection Authority has already been notified, per Reuters.
The Investor Risk: GDPR Isn’t Cheap
Here’s the part that matters if you hold either stock. Under EU GDPR rules, a severe data breach can result in a fine of up to 4% of a company’s global annual revenue — or €20 million, whichever is higher.
For $BKNG, that number is genuinely eye-watering. According to Booking Holdings’ own SEC 10-K filing, full-year 2025 revenue was $26.9 billion. Four percent of that is over $1 billion. Regulators rarely impose the theoretical maximum — the Dutch DPA and Ireland’s DPC tend to calibrate fines based on scale, intent, and cooperation — but even a fraction of the maximum would be a material hit. For context, Uber was fined €290 million by the Dutch DPA in 2024 for data transfer violations. LinkedIn was hit with €310 million by the Irish regulator the same year.
For $BFIT the maths are different. Basic-Fit’s market cap sits around €2 billion, and the company is already in a delicate position — it carries significant debt from its rapid European expansion and only recently returned to profit. A sizeable GDPR fine at the wrong moment would sting much more proportionally than it would for Booking Holdings.
The Bigger Picture
Today’s breaches didn’t happen in isolation. The Netherlands has had a rough run on data security in 2026. In February, telecoms operator Odido — formerly T-Mobile Netherlands — suffered what experts described as one of the largest data breaches in Dutch history, with 6.2 million customer accounts exposed including IBAN numbers and passport details, per TNW. Dutch regulators are on high alert, and that means less patience and faster enforcement.
The other risk for Booking.com specifically is trust. Its entire business model is built on customers handing over personal and payment details to book accommodation around the world. A breach that chips away at that trust — especially one the company handles opaquely — creates a slow-burn problem that doesn’t show up in a fine. It shows up in churn, in conversion rates, and in the cost of acquiring new customers.
What to Watch
For $BKNG: the next disclosure. If the company confirms the number of affected customers, the timeline of the breach, and whether the Dutch DPA was notified within 72 hours, you can start sizing the regulatory risk. If it stays silent, that silence itself becomes a problem.
For $BFIT: the earnings report lands on April 16 — in three days. Management will face questions about the breach on that call. Watch for any updated guidance on costs and whether the bank account exposure triggers any direct financial fraud against members that the company might be liable for.
Neither of these is a company-ending event on its own. But the combination of a sloppy disclosure timeline, a data-hungry regulator, and a fine landing at the wrong point in the business cycle is exactly the kind of thing that turns a bad week into a bad quarter.
