Skip to content
Supply chainContained

Leak at Cultura

On 10 September 2024, French cultural-goods retailer Cultura disclosed that a breach at a shared third-party IT provider exposed the personal data of about 1.5 million customers, including names, contact details and order history; passwords and bank data were not affected.

Victim
Cultura
records
1.5M

On 10 September 2024, Cultura β€” a major French retailer of cultural, creative and leisure goods β€” disclosed a data breach affecting roughly 1.5 million customers. The compromise did not originate inside Cultura's own systems but at a shared external IT service provider used by several retail brands operating online stores.

The intrusion at the provider's database occurred during the same early-September wave of attacks that also hit Boulanger; other brands such as Pepe Jeans, GrosBill and CyberTek were reported among the suspected victims of the same vendor compromise. Cultura said it identified and fixed the underlying vulnerability after being alerted.

The exposed data included:

  • First and last name
  • Customer identifier
  • Email address and postal address
  • Mobile/phone number
  • Order and purchase history

According to Cultura, passwords and banking details were not compromised. The company notified France's data protection regulator (CNIL), filed a criminal complaint, and emailed affected customers individually, warning them to be alert to phishing attempts using the leaked contact information.

Sources

  1. next.inkhttps://next.ink/149551/boulanger-cultura-diviamobilites-les-fuites-de-donnees-se-multiplient/
  2. franceinfo.frhttps://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/cultura-victime-d-une-cyberattaque-les-donnees-de-1-5-million-de-clients-derobees_6774133.html
  3. lebigdata.frhttps://www.lebigdata.fr/cultura-donnees-d-15-million-de-clients-volees

Related incidents

Supply chainContained

Leak at Boulanger

On the night of 6-7 September 2024, French electronics retailer Boulanger suffered a data breach traced to a shared third-party delivery/IT provider, exposing the names, postal and email addresses and phone numbers of several hundred thousand customers; no banking data was affected.

Victim
Boulanger
Supply chainContained

Leak at Jeu Jouet

French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.

Victim
Jeu Jouet