Skip to content
Supply chainContained

Data leak at Voyage Privé - upcoming bookings exposed

Voyage Privé, the French flash-sale travel platform, confirmed in February 2026 that a compromised third-party partner exposed reservation data for customers with upcoming trips — including names, country of residence, emails, phone numbers and, in some cases, passport numbers — fuelling a wave of WhatsApp phishing.

Victim
Voyage Privé

On 16 February 2026, Voyage Privé — the Aix-en-Provence-based flash-sale travel platform — confirmed a data breach affecting customers who had bookings for upcoming trips. The company stated that its own systems were not directly breached; instead, the unauthorised access occurred through one of its partners between 3 and 5 February 2026.

The compromised reservation data concerned travellers with forthcoming bookings. Exposed information reportedly included:

  • First and last names
  • Country of residence
  • Email addresses
  • Phone numbers
  • In some cases, passport numbers

The stolen data was quickly weaponised in a targeted phishing campaign. Attackers impersonated Voyage Privé customer service over WhatsApp, using accurate trip details to lend credibility to their messages and steering victims toward fraudulent domains — including one registered on 12 February 2026 behind Cloudflare-hosted infrastructure.

Voyage Privé acknowledged the incident publicly, notifying all affected customers through a dedicated communication, setting up a support contact and FAQ, and reporting the breach to France's data protection regulator, the CNIL. The number of affected customers was not disclosed and the investigation remained ongoing.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-16-voyage-prive
  2. zataz.comhttps://www.zataz.com/voyage-prive-confirme-un-acces-non-autorise-via-un-partenaire/
  3. lechotouristique.comhttps://www.lechotouristique.com/article/voyage-prive-victime-dune-cyberattaque
  4. solutions-numeriques.comhttps://www.solutions-numeriques.com/voyage-prive-faux-whatsapp-apres-reservation-lentreprise-confirme-un-acces-via-un-partenaire/

Related incidents

Supply chainContained

Data leak at Suzuki

Suzuki France disclosed that a cyberattack on one of its third-party partner systems exposed a customer file containing names, email addresses, postal addresses and phone numbers; no financial data or passwords were affected.

Victim
Suzuki
Supply chainContained

Leak at Air France

In August 2025, Air France-KLM disclosed that attackers accessed customer data — names, contact details, Flying Blue loyalty numbers and status, and customer-service request subjects — via a compromised third-party customer-service platform.

Victim
Air France
Supply chainResolved

Leak at Hertz

On 15 April 2025, car-rental company Hertz disclosed a data breach stemming from the late-2024 zero-day exploitation of Cleo's file-transfer software by the CL0P group, exposing customer names, contact details, dates of birth, driver's licences, credit-card and passport data.

Victim
Hertz
Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan