Skip to content
Data breachContained

Leak at Indigo

In April 2025, French parking operator Indigo disclosed a breach after attackers accessed its information systems and stole customer names, postal and email addresses, phone numbers and vehicle license plates; no banking data or passwords were affected.

Victim
Indigo

On 18 April 2025, Indigo — one of the world's largest parking operators, present in more than 750 cities and managing over 2.5 million parking spaces — notified customers that malicious actors had gained unauthorized access to its information systems and exfiltrated personal data. The company informed affected users individually by email, including customers outside France such as in Belgium.

The intrusion exposed customer contact details and, where users had registered them, vehicle license plates. Indigo stated that no banking data, passwords, or account-access credentials were compromised, and that Indigo Neo accounts remained protected.

Exposed data categories included:

  • First and last name
  • Postal address
  • Email address
  • Phone number
  • Vehicle license plate number (where provided)

Security researchers and the press highlighted a specific risk for affected drivers: exposed license plates can be cloned ("doublettes"), exposing victims to fines for speeding, parking or low-emission-zone violations they did not commit, as well as phishing and identity-theft attempts.

Indigo filed a criminal complaint with prosecutors, notified France's data protection authority (CNIL) in line with its legal obligations, and engaged cybersecurity specialists to investigate. The company reported that services continued operating normally, that it had reinforced its security measures, and that no fraudulent use of the stolen data had been observed at the time of disclosure. No ransomware was mentioned in connection with the incident.

Sources

  1. group-indigo.comhttps://www.group-indigo.com/en/indigo-incident-alert/
  2. zataz.comhttps://www.zataz.com/faille-chez-indigo-des-donnees-personnelles-exposees-la-cybersecurite-en-alerte/
  3. usine-digitale.frhttps://www.usine-digitale.fr/article/le-specialiste-du-parking-indigo-victime-d-une-fuite-de-donnees-personnelles.N2230951
  4. next.inkhttps://next.ink/brief_article/stationnement-vol-de-donnees-au-sein-du-groupe-indigo/

Related incidents

Data breachContained

Leak at Mondial Relay

In December 2025, French parcel-delivery firm Mondial Relay disclosed a cyberattack in which attackers accessed customer and shipment data — names, emails, postal addresses, phone numbers and parcel-tracking details; a dark-web actor claimed roughly 25.7 million records.

Victim
Mondial Relay
Data breachContained

Leak at Chronopost

In December 2025, a 680 MB dataset on ~860,000 Chronopost customers — names, emails and parcel details scraped from the La Poste Pickup relay-point network — was published on BreachForums; the data covered shipments from spring 2025.

Victim
Chronopost
Records
860.0K
Data breachContained

Leak at Colis Privé

In November 2025, French parcel-delivery firm Colis Privé disclosed unauthorized access to part of its systems that exposed customer contact data — names, postal and email addresses and phone numbers. A threat actor advertised a dataset reportedly running to tens of millions of rows; no passwords or banking data were affected.

Victim
Colis Privé
Data breachContained

Leak at Digital Charging Solutions

In September 2025, EV-charging billing provider Digital Charging Solutions disclosed that a contracted third-party service provider had accessed customer records without authorization, exposing names and email addresses of an initial single-digit number of affected users.

Victim
Digital Charging Solutions