Skip to content
Supply chainContained

Leak at Bibliothèque Nationale de France

A March 2026 ransomware attack on the Bibliothèque Nationale de France's third-party online ticketing provider exposed the names and email addresses of users who had booked cultural events; banking data, handled by a separate vendor, was not affected.

Victim
Bibliothèque Nationale de France
SectorOther

On 17 March 2026, the Bibliothèque Nationale de France (BnF) — France's national library — disclosed a data breach affecting users who had booked tickets for its cultural events and exhibitions. The incident did not stem from a compromise of the BnF's own systems but from a ransomware attack against a third-party online ticketing provider, a classic supply-chain compromise reaching the library's ecosystem through a peripheral vendor.

The attackers deployed ransomware against the ticketing platform, suggesting an attempt at data encryption combined with financial extortion, though no ransom demand was publicly detailed. Personal data tied to event reservations was exposed, while banking and payment information — processed by a separate provider — was not affected.

Exposed data categories included:

  • Surnames and first names
  • Email addresses

The BnF notified the CNIL (France's data protection authority) in line with its breach-notification obligations, and ANSSI (the national cybersecurity agency) was monitoring the situation. The library stated it was working with the affected provider to strengthen security and prevent a recurrence.

Sources

  1. zataz.comhttps://www.zataz.com/cyberattaque-a-la-bnf-donnees-exposees/
  2. bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#Biblioth%C3%A8que%20Nationale%20de%20France-2026-03-17

Related incidents

Supply chainContained

Leak at La Mine Bleue (via Vivaticket)

On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data — names, postal code/country, email and purchase history — was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.

Victim
La Mine Bleue
Supply chainOngoing

Leak at Musée des Arts et Métiers

Disclosed on 18 March 2026, the Musée des Arts et Métiers was caught up in the Vivaticket supply-chain ransomware breach, exposing online shop and ticketing customers' names, email addresses, account details and order history.

Victim
Musée des Arts et Métiers