Skip to content

Incidents in sector:

Hospitality

Vulnerability exploitContained

Leak at Maeva

In May 2026, Maeva — the holiday-rental brand of Pierre & Vacances-Center Parcs — disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.

Victim
Maeva
Data breachResolved

Aman data breach (2026)

In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses.

Victim
Aman
Records
215.6K
Supply chainContained

Homair: customer data exposed after a cyberattack

On 31 March 2026, French camping and holiday-village operator Homair disclosed a data breach traced to a compromised third-party technical provider, exposing customers' names, email addresses, phone numbers and booking details (destination, stay dates, amount paid), while bank data, passwords and postal addresses were said to be unaffected.

Victim
Homair
Data breachUnknown

Leak at Eklo

On 3 September 2025, a data leak was claimed affecting Eklo, a French budget and eco-friendly hotel chain. Details on the volume and exact categories of exposed customer data remain unverified.

Victim
Eklo
RansomwareOngoing

Leak at Disneyland

In June 2025, the Anubis ransomware gang claimed a 64GB leak of ~39,000 confidential files from Disneyland Paris — engineering plans and behind-the-scenes photos/videos of park attractions — said to be stolen via a compromised third-party contractor.

Victim
Disneyland
Data breachOngoing

Leak at Côté Sushi

In March 2025, French sushi-delivery chain Côté Sushi had the personal data of roughly 1.1 million customers — names, dates of birth, emails and phone numbers — scraped from its loyalty/delivery database and offered for sale on a cybercrime forum.

Victim
Côté Sushi
Records
1.1M
Data breachUnknown

Data leak at Ze Camping

On 27 November 2024, a database from French camping-holiday booking platform Ze Camping (ze-camping.fr) covering 2014-2024 was advertised for sale on a darknet forum, exposing some 1.6 million records including names, logins, hashed passwords, dates of birth, phone numbers and postal addresses.

Victim
Ze Camping
Records
1.6M
Data breachUnknown

Leak at Huttopia

On 14 November 2024, a data leak affecting Huttopia, the French eco-tourism and glamping operator, exposed customer records including last names, first names and email addresses.

Victim
Huttopia
RansomwareRansom paid

Caesars Entertainment Scattered Spider ransom payment (2023)

Scattered Spider impersonated a Caesars employee on a call to a third-party IT support vendor and convinced the vendor to grant Okta credentials, then exfiltrated customer loyalty data including SSNs and driver's licences. Caesars paid roughly $15 million ransom; the FBI later froze a substantial portion of the funds with Chainalysis assistance.

Victim
Caesars Entertainment
Loss
$15.0M
Data breachResolved

Travelio data breach (2021)

In November 2021, the Indonesian real estate website Travelio suffered a data breach that exposed over 470k customer accounts. The data included email addresses, names, password hashes, phone numbers and for some accounts, dates of birth, physical address and Facebook auth tokens.

Victim
Travelio
Records
471.4K
Data breachResolved

Bourse des Vols data breach (2021)

In January 2021, the French travel company Bourse des Vols suffered a data breach that exposed 1.46M unique email addresses across more than 1.2k .sql files and over 9GB of data.

Victim
Bourse des Vols
Records
1.5M
misconfigurationResolved

RedDoorz data breach

A misconfigured cloud database exposed the records of about 5.9 million RedDoorz hotel-booking customers, making it Singapore's largest data breach at the time and drawing a record-context PDPC fine against operator Commeasure.

Victim
RedDoorz (Commeasure Pte Ltd)
Loss
$54.5K
Records
5.9M
EspionageResolved

Marriott / Starwood guest data breach

Chinese state-attributed operators sat undetected on Starwood's guest reservation database from 2014, surviving Marriott's 2016 acquisition. Disclosed 2018: 500 million guest records exposed, including 5.25 million unencrypted passport numbers.

Victim
Marriott International / Starwood Hotels & Resorts
Loss
$200.0M
Records
500.0M
Data breachResolved

Zomato data breach (2017)

In May 2017, the restaurant guide website Zomato was hacked resulting in the exposure of almost 17 million accounts. The data was consequently redistributed online and contains email addresses, usernames and salted MD5 hashes of passwords (the password hash was not present on all accounts).

Victim
Zomato
Records
16.5M