Saint-Étienne: city hit by a cyberattack through its ticketing provider
On 29 April 2026, the City of Saint-Étienne and Saint-Étienne Métropole disclosed a security incident at their third-party ticketing provider, prompting the precautionary deactivation of user account passwords and a forced reset for online ticketing customers.
- Victim
- Saint-Étienne town hall
On 29 April 2026, the City of Saint-Étienne and Saint-Étienne Métropole — the municipal authority and metropolitan body for the Loire prefecture — disclosed a security incident affecting the third-party provider that operates their online ticketing service. The compromise occurred in the supplier's systems rather than the city's own infrastructure, making this a supply-chain incident in the municipal subcontracting chain.
As a precaution, the authorities deactivated the passwords of affected ticketing accounts and asked users to set a new one via the "forgot password" function on their next login. Residents were warned to expect login failures during the operation and to stay alert to suspicious emails or links that could exploit the incident.
The city did not specify which categories of personal data may have been exposed, nor the number of accounts affected. Information at risk in this type of ticketing breach typically includes:
- Account login identifiers (email addresses / usernames)
- Account passwords (status undisclosed; resets imposed as a precaution)
- Customer profile and ticketing account data
As of disclosure, the incident is considered contained: the city took immediate containment steps (password deactivation and forced reset) while the full scope and the precise data exposed remained under assessment.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/saint-etienne-la-ville-victime-dune-cyberattaque-via-son-prestataire-de-billetterie/
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-04-29-saint-etienne-metropole