Homair: customer data exposed after a cyberattack
On 31 March 2026, French camping and holiday-village operator Homair disclosed a data breach traced to a compromised third-party technical provider, exposing customers' names, email addresses, phone numbers and booking details (destination, stay dates, amount paid), while bank data, passwords and postal addresses were said to be unaffected.
- Victim
- Homair
On 31 March 2026, Homair — a French operator booking stays at campsites and holiday villages — disclosed a customer data breach traced to a compromise at one of its third-party technical providers rather than to its own systems.
The incident is widely reported as part of a cluster of breaches across French tourism brands in March 2026 (alongside operators such as Vacancéole and Belambra), with the suspected common point being a shared booking/reservation tool used in the sector. Homair has not officially named the compromised provider.
Exposed customer data reportedly included:
- First and last name
- Email address
- Phone number
- Booking details: destination, stay dates, and amount paid
Homair stated that no banking data, passwords, or postal addresses were affected. Even so, the leaked combination of identity and reservation details is well suited to targeted phishing and personalised fraud (for example, fake "booking problem" or refund messages), and customers were urged to be wary of unsolicited contact referencing their stays. The breach is reported as contained on Homair's side, the exposure being attributable to the external provider.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/homair-les-donnees-clients-exposees-apres-une-cyberattaque/
- frenchbreaches.comhttps://frenchbreaches.com/blog/piratage-dans-le-tourisme-homair-vacanceole-belambra-la-piste-septeoresalys-se-dessine-t-elle