Leak at Bibliothèque Nationale de France
A March 2026 ransomware attack on the Bibliothèque Nationale de France's third-party online ticketing provider exposed the names and email addresses of users who had booked cultural events; banking data, handled by a separate vendor, was not affected.
- Victim
- Bibliothèque Nationale de France
On 17 March 2026, the Bibliothèque Nationale de France (BnF) — France's national library — disclosed a data breach affecting users who had booked tickets for its cultural events and exhibitions. The incident did not stem from a compromise of the BnF's own systems but from a ransomware attack against a third-party online ticketing provider, a classic supply-chain compromise reaching the library's ecosystem through a peripheral vendor.
The attackers deployed ransomware against the ticketing platform, suggesting an attempt at data encryption combined with financial extortion, though no ransom demand was publicly detailed. Personal data tied to event reservations was exposed, while banking and payment information — processed by a separate provider — was not affected.
Exposed data categories included:
- Surnames and first names
- Email addresses
The BnF notified the CNIL (France's data protection authority) in line with its breach-notification obligations, and ANSSI (the national cybersecurity agency) was monitoring the situation. The library stated it was working with the affected provider to strengthen security and prevent a recurrence.
Sources
- zataz.comhttps://www.zataz.com/cyberattaque-a-la-bnf-donnees-exposees/
- bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#Biblioth%C3%A8que%20Nationale%20de%20France-2026-03-17