Skip to content
Data breachContained

Pierre & Vacances: 4.5 million holidaymakers exposed in a massive data leak

In May 2026, French tourism group Pierre & Vacances-Center Parcs disclosed a breach of its maeva-owned 'La France du Nord au Sud' platform, exposing personal data tied to about 1.6 million reservations and up to 4.5 million customers, including names, dates of birth, phone numbers and stay details.

Victim
Pierre & Vacances
records
4.5M

On 15 May 2026, Pierre & Vacances-Center Parcs (PVCP) — one of Europe's largest holiday-rental and resort operators — acknowledged a major data breach affecting its booking platform "La France du Nord au Sud", a subsidiary operated under the group's maeva brand. The group was alerted to the incident on 14 May and made it public a few days later.

The breach stemmed not from a ransomware intrusion but from an Insecure Direct Object Reference (IDOR) flaw in the booking platform. An attacker — operating under the handle "ChimeraZ" and advertising the data on an underground forum — exploited the vulnerability through automated, large-scale scraping carried out over several weeks, harvesting records that reportedly stretched back as far as a decade. Roughly 1.6 million reservations and up to 4.5 million customers were affected, spanning some 38,945 residences and tourist accommodations.

Because the platform aggregates bookings across the group's portfolio, exposed records also touched reservations linked to brands including Center Parcs, Odalys, Pierre & Vacances, Lagrange Vacances, Belambra, Adagio, Sandaya, Flower Campings, Goélia and Départ 18:25. The exposed data categories included:

  • Reservation/file numbers
  • Customer names and dates of birth
  • Phone numbers
  • Stay dates, locations and booking history
  • Selected accommodations and reserved options (e.g. TV, air conditioning)

The group stated that no banking data and no email addresses were among the collected information. PVCP said it had identified and patched the underlying vulnerability, deployed corrective security measures, notified France's data-protection regulator (the CNIL), and filed a complaint with the authorities.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/maeva-pierre-vacances-center-parcs-cyberattque-fuite-donnees/
  2. optionfinance.frhttps://www.optionfinance.fr/info-financiere-en-continu/d/2026-05-18-pierre-vacances-center-parcs-touche-par-une-fuite-de-donnees.html

Related incidents