Major French Vacation Company Hit by Cyberattack Exposing 1.6 Million Bookings Over a Decade

A cyberattack on a booking platform tied to Pierre & Vacances–Center Parcs, one of Europe’s biggest vacation-resort operators, exposed data linked to 1.6 million reservations, records that could stretch back as far as 10 years, the company confirmed.

The company says no credit card data was taken and no email addresses were compromised. But the leaked information, names, birthdates, phone numbers, and detailed stay information, is exactly the kind of material scammers use to craft convincing texts and phone calls that can trick people into handing over money or sensitive documents.

Pierre & Vacances–Center Parcs said it learned of the incident on May 14, 2026, fixed the vulnerability, filed a criminal complaint, and reported the breach to France’s privacy regulator, the CNIL, roughly the French equivalent of a combined FTC-style privacy watchdog and EU GDPR enforcer.

A breach tied to a central booking hub, not a “brochure” website

The incident centers on a reservation platform calledLa France du Nord au Sud, which the company described as the affected service. It’s not just a marketing site, it’s a booking engine used across multiple brands in the group’s orbit, including Maeva, Pierre & Vacances, and Center Parcs.

That matters because centralized booking tools concentrate huge volumes of customer records in one place. The company emphasized the breach involved a subsidiary and said the broader group’s security systems were not impacted. In practice, cybersecurity experts often warn that large companies are only as secure as their most exposed affiliate, vendor, or “side” platform.

And 1.6 million reservations doesn’t necessarily mean 1.6 million people. A single booking can include multiple guests, families, couples, groups, pushing the number of potentially affected customers into the millions.

The other multiplier is time. The company said the exposed history could go back up to a decade. For a travel business, that’s an entire customer lifecycle, repeat destinations, holiday habits, and patterns that can make a scam feel uncomfortably personal.

What was exposed, and what the company says wasn’t

Pierre & Vacances–Center Parcs said the leaked data was tied to reservation operations. That includes reservation numbers, stay dates and locations, guest names, dates of birth, and a phone number.

On their own, those details can sound routine. Bundled together, they can function like an identity kit, enough to persuade someone that the caller or texter is legitimate. A fraudster doesn’t need your bank account to steal from you if they can convince you to “confirm” a payment, share an ID document, or click a link.

The company says two major categories were not affected: payment data and email addresses. That reduces the risk of classic mass phishing campaigns delivered by email, but it can shift the threat toward SMS “smishing,” phone calls, and scams that combine leaked data with information found elsewhere.

Company response: fix deployed, complaint filed, regulator notified

The company said it was alerted to the attack on May 14, 2026, then identified and corrected the flaw and rolled out immediate measures to secure the affected systems.

It also filed a criminal complaint, a common step in Europe that formally triggers an investigation process even when the perpetrators are unknown. The company reported the incident to the CNIL, which typically reviews what data was exposed, how long it was accessible, what safeguards were in place, and how affected people are notified.

Still, the breach highlights a bigger issue: long-term data retention. Keeping up to 10 years of booking history may help customer service and dispute resolution, but it also creates a larger target, and a larger blast radius when something goes wrong.

Why travel companies are prime targets

Travel bookings combine personal identity details with something uniquely valuable: a calendar. Stay dates and destinations can be used to build believable pretexts (“We need to verify your check-in,” “Your reservation needs an update,” “You’re owed a refund”) and, in the wrong hands, can even hint at when someone might be away from home.

The platform model adds another layer of risk. The more a company consolidates brands and funnels reservations through shared systems, the more “choke points” it creates, places where one breach can spill data across multiple lines of business.

And when companies store large archives for years, those databases can become unmanaged assets, useful internally, but highly monetizable on criminal markets.

What customers should watch for: targeted calls and texts

The most immediate danger is highly tailored fraud attempts. With a reservation number and phone number, scammers can pose as customer service and claim there’s an issue with your booking, then pressure you to provide ID documents, “reconfirm” details, or make a payment to resolve a supposed problem.

Another common play: a text message claiming your stay has changed, a refund is pending, or an option needs approval. The hook doesn’t have to be sophisticated. If the message includes one true detail, your destination, dates, or a guest name, it can feel real enough to prompt a click or a call back.

The safest move is simple: don’t provide additional information to an incoming caller or texter, don’t use phone numbers or links they send, and instead contact the company through official channels you look up yourself. And because the company says payment data wasn’t involved, any “urgent payment” request should be treated as a major red flag.

The decade-long timeframe also means some people may be caught off guard. If you booked years ago, you might not consider yourself a current customer, exactly the kind of lowered guard scammers count on.