Data Breach Exposes 468 k Email, Phone, and Parcel‑Tracking Details from Portugal’s CTT Postal Service
What Happened — In April 2026, a dataset containing 468,124 unique CTT customer records (email, name, phone number, and parcel‑tracking numbers) was posted on a public hacking forum. The information enables anyone to view the full tracking history of shipped parcels.
Why It Matters for TPRM —
- Personal identifiers combined with logistics data create a high‑value phishing and fraud commodity.
- Vendors that integrate CTT’s tracking APIs may inherit the exposed data, expanding the attack surface.
- Regulatory exposure for public‑sector entities handling citizen data can trigger fines and reputational damage.
Who Is Affected — Government & public‑sector (Portugal’s national postal service), logistics and e‑commerce partners that rely on CTT tracking services.
Recommended Actions — Review CTT’s security posture, demand evidence of incident response and remediation, enforce password rotation and MFA for any downstream integrations, and reassess data‑sharing agreements.
Technical Notes — Attack vector unknown; breach appears to be a data exfiltration incident. No CVE referenced. Exposed data fields: email address, full name, telephone number, parcel‑tracking identifier (usable to retrieve shipment history). Source: https://haveibeenpwned.com/Breach/CTT