France’s holiday industry hacked three times in 72 hours 389,000 users affected

A cyberattack affecting the French holiday accommodation network Gîtes de France has potentially exposed data belonging to more than 389,000 customers, according to breach monitoring site French Breaches, following a series of similar incidents targeting the country’s tourism sector.

The organisation confirmed on May 17 that it had suffered a data breach on May 16 involving unauthorised access to certain booking records. “An incident of security led to fraudulent access to certain data relating to reservation files,” it said in a statement.

The latest incident is the third cyberattack disclosed in as many days against major French tourism operators, following breaches at Pierre et Vacances-Centre Parcs on May 15 and Belambra on May 16.

According to French Breaches, the same hacker is believed to be behind all three intrusions. The individual reportedly told researchers that the objective was to gain visibility and demonstrate “the extent to which France is a sieve in terms of cybersecurity”.

In the case of Gîtes de France, the attacker is said to have accessed booking data spanning more than three decades, from 1995 to 2026. Compromised information reportedly includes names, contact details, email addresses, postal addresses, and travel details such as dates and length of stay. The company said no banking information had been accessed.

Gîtes de France added that the vulnerability originated from its IT provider Itea, whose software is used by several regional booking centres. It also said only a limited number of French departments were affected, including Guadeloupe, Haute-Garonne and Cantal.

French Breaches claimed the hacker had also accessed hundreds of thousands of additional records across the sector, including reservation data involving minors.

All three companies have said they intend to file legal complaints as investigations continue into the scale and origin of the breaches.

By Aghakazim Guliyev