Skip to content
Supply chainContained

Saint-Étienne: city hit by a cyberattack through its ticketing provider

On 29 April 2026, the City of Saint-Étienne and Saint-Étienne Métropole disclosed a security incident at their third-party ticketing provider, prompting the precautionary deactivation of user account passwords and a forced reset for online ticketing customers.

Victim
Saint-Étienne town hall

On 29 April 2026, the City of Saint-Étienne and Saint-Étienne Métropole — the municipal authority and metropolitan body for the Loire prefecture — disclosed a security incident affecting the third-party provider that operates their online ticketing service. The compromise occurred in the supplier's systems rather than the city's own infrastructure, making this a supply-chain incident in the municipal subcontracting chain.

As a precaution, the authorities deactivated the passwords of affected ticketing accounts and asked users to set a new one via the "forgot password" function on their next login. Residents were warned to expect login failures during the operation and to stay alert to suspicious emails or links that could exploit the incident.

The city did not specify which categories of personal data may have been exposed, nor the number of accounts affected. Information at risk in this type of ticketing breach typically includes:

  • Account login identifiers (email addresses / usernames)
  • Account passwords (status undisclosed; resets imposed as a precaution)
  • Customer profile and ticketing account data

As of disclosure, the incident is considered contained: the city took immediate containment steps (password deactivation and forced reset) while the full scope and the precise data exposed remained under assessment.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/saint-etienne-la-ville-victime-dune-cyberattaque-via-son-prestataire-de-billetterie/
  2. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-04-29-saint-etienne-metropole

Related incidents

Supply chainContained

Leak at Contrat d'intégration républicaine

France's OFII immigration agency notified signatories of the Contrat d'intégration républicaine that a January 2026 breach via a compromised subcontractor exposed the names, emails, phone numbers and postal addresses of roughly 2.1 million people.

Victim
Contrat d'intégration républicaine
Records
2.1M