Skip to content
Supply chainContained

828,000 stop-points exposed in data leak at Loxam

On 4 February 2026, French equipment-rental group Loxam disclosed a breach of a third-party delivery-planning system that exposed roughly 60 GB of logistics data — 94,735 delivery routes and about 828,000 geolocated stop-points covering 2020-2026, plus customer, driver and vehicle details.

Victim
Loxam
SectorOther

On 4 February 2026, Loxam — Europe's largest equipment-rental group, headquartered in France — disclosed that customer, employee and partner data had been exfiltrated through a third-party software platform used to plan its equipment deliveries. The company described the incident as circumscribed and closed, and said it was in the process of notifying the relevant authorities.

The breach did not hit Loxam's core systems directly but its transport-management and route-planning system (TMS) operated via an outside provider — making this a supply-chain exposure. Roughly 60 GB of logistics data spanning January 2020 to early 2026 was reported to have been compromised, affecting Loxam's French operations.

The exposed dataset included:

  • 94,735 delivery routes and around 828,000 geolocated stop-points
  • Roughly 89,420 unique client businesses and 53,165 vehicle registration plates
  • More than 244,000 phone numbers
  • Driver full names and personal/professional phone numbers
  • Precise GPS coordinates, full delivery addresses and site-access instructions
  • Activity logs, timestamps, delivery signatures and operational comments

Because Loxam's delivery network serves major French firms and public institutions, the leaked routing and access data raised concerns about indirect mapping of sensitive sites. Loxam stated that, based on its investigation, none of the affected data was of a nature likely to harm its customers, and that the incident had been contained.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-04-loxam
  2. secuslice.comhttps://secuslice.com/2026/02/fuite-massive-loxam-logistique-ssi-critique/
  3. internationalrentalnews.comhttps://www.internationalrentalnews.com/news/loxam-reports-data-breach/8113399.article
  4. x.comhttps://x.com/seblatombe/status/2019783917407010967

Related incidents

Supply chainContained

Leak at La Mine Bleue (via Vivaticket)

On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data — names, postal code/country, email and purchase history — was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.

Victim
La Mine Bleue
Supply chainOngoing

Leak at Musée des Arts et Métiers

Disclosed on 18 March 2026, the Musée des Arts et Métiers was caught up in the Vivaticket supply-chain ransomware breach, exposing online shop and ticketing customers' names, email addresses, account details and order history.

Victim
Musée des Arts et Métiers
Supply chainContained

Leak at Bibliothèque Nationale de France

A March 2026 ransomware attack on the Bibliothèque Nationale de France's third-party online ticketing provider exposed the names and email addresses of users who had booked cultural events; banking data, handled by a separate vendor, was not affected.

Victim
Bibliothèque Nationale de France