Skip to content
Supply chainContained

Homair: customer data exposed after a cyberattack

On 31 March 2026, French camping and holiday-village operator Homair disclosed a data breach traced to a compromised third-party technical provider, exposing customers' names, email addresses, phone numbers and booking details (destination, stay dates, amount paid), while bank data, passwords and postal addresses were said to be unaffected.

Victim
Homair

On 31 March 2026, Homair — a French operator booking stays at campsites and holiday villages — disclosed a customer data breach traced to a compromise at one of its third-party technical providers rather than to its own systems.

The incident is widely reported as part of a cluster of breaches across French tourism brands in March 2026 (alongside operators such as Vacancéole and Belambra), with the suspected common point being a shared booking/reservation tool used in the sector. Homair has not officially named the compromised provider.

Exposed customer data reportedly included:

  • First and last name
  • Email address
  • Phone number
  • Booking details: destination, stay dates, and amount paid

Homair stated that no banking data, passwords, or postal addresses were affected. Even so, the leaked combination of identity and reservation details is well suited to targeted phishing and personalised fraud (for example, fake "booking problem" or refund messages), and customers were urged to be wary of unsolicited contact referencing their stays. The breach is reported as contained on Homair's side, the exposure being attributable to the external provider.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/homair-les-donnees-clients-exposees-apres-une-cyberattaque/
  2. frenchbreaches.comhttps://frenchbreaches.com/blog/piratage-dans-le-tourisme-homair-vacanceole-belambra-la-piste-septeoresalys-se-dessine-t-elle

Related incidents

Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan