Mi-mid May, as families finalize their summer bookings and the sector enters its peak period, a single attacker reminded vacation accommodation of a truth they would rather not face. In seventy-two hours, three major players acknowledged a data breach.
On Friday, Pierre & Vacances-Center Parcs, via its platform “La France du Nord au Sud,” a subsidiary of the Maeva brand. On Saturday, Belambra and its forty-four clubs. On Sunday, the Gîtes de France network.
Three business models that were previously separated, brought together in a single weekend by the same weakness and the same method of operation.
On Friday, Pierre & Vacances-Center Parcs, via its platform “La France du Nord au Sud,” a subsidiary of the Maeva brand. On Saturday, Belambra and its forty-four clubs. On Sunday, the Gîtes de France network.
Three business models that were previously separated, brought together in a single weekend by the same weakness and the same method of operation.
What Was Leaked, and What No One Looks At
Each press release insisted on the same point: no banking data.Pierre & Vacances even specifies that no e-mail address would have been collected on their side. This phrasing has become a crisis-communication reflex, and that is precisely where the misjudgment lies.
It reassures about the only risk that the general public can name, the credit card, and it distracts attention from what was actually stolen.
The loot lies elsewhere. At Gîtes de France, nearly 389,000 customers are affected, with reservations dating back to 1995, and the batch would include around 360,000 records related to minors and children registered in stay files.
Names, dates of overnight stays, e-mails, phone numbers, postal addresses. No card numbers, certainly, but enough information to craft a phishing message with perfect credibility. When the fake email cites the real date, the real place, and the child’s real first name, the victim’s vigilance weighs little.
In a sector where personal data is inherently family-oriented and spread over time, the absence of banking details is not good news; it’s a mirage.
A Sector Designed to Demonstrate
The most troubling element isn’t technical; it’s political. The hacker didn’t seek to quietly monetize their breach. They publicly claimed their action, explaining in their own words that they acted to demonstrate how porous France is in terms of cybersecurity.
In other words, these three companies did not face a sophisticated criminal operation. They served as a vehicle for a demonstration. And the choice of tourism is hardly a coincidence.
The sector accumulates the risk factors I’ve observed in the field for years. Foundations that have stacked up for three decades without anyone asking why a reservation from 1995 still exists.
A shared IT subcontracting model, where several departmental structures rely on the same provider, hence the same vulnerability. A seasonality that concentrates activity, pressure, and the lowering of vigilance on the same weeks.
And a culture where security is still seen as a technical cost line rather than as a condition of the customer relationship.
In other words, these three companies did not face a sophisticated criminal operation. They served as a vehicle for a demonstration. And the choice of tourism is hardly a coincidence.
The sector accumulates the risk factors I’ve observed in the field for years. Foundations that have stacked up for three decades without anyone asking why a reservation from 1995 still exists.
A shared IT subcontracting model, where several departmental structures rely on the same provider, hence the same vulnerability. A seasonality that concentrates activity, pressure, and the lowering of vigilance on the same weeks.
And a culture where security is still seen as a technical cost line rather than as a condition of the customer relationship.
The Real Scandal Is the Data We Should Never Have Kept
What strikes me is not that these attacks were possible, but that they were predictable. The risk had been identified, sector-specific, documented for months. The missing half of the equation was the decision to act.
I call this the decision gap, the structural delta between the moment we know and the moment we decide.
A data from 1995 still exploitable in 2026 is not a technical accident. It is a retention decision that was never made, thus never arbitrated, thus renewed by default year after year. The sector has confused commercial memory with passive accumulation.
Or the data that is best protected is the one you no longer hold. Minimization and limited retention durations are not regulatory constraints to endure; they are levers to reduce the attack surface: what no longer exists in the system cannot leak.
Three decades of reservations kept “just in case” became, in a single weekend, three decades of exposed responsibility.
I call this the decision gap, the structural delta between the moment we know and the moment we decide.
A data from 1995 still exploitable in 2026 is not a technical accident. It is a retention decision that was never made, thus never arbitrated, thus renewed by default year after year. The sector has confused commercial memory with passive accumulation.
Or the data that is best protected is the one you no longer hold. Minimization and limited retention durations are not regulatory constraints to endure; they are levers to reduce the attack surface: what no longer exists in the system cannot leak.
Three decades of reservations kept “just in case” became, in a single weekend, three decades of exposed responsibility.
Digital Trust, the New Asset of Tourism
Who Is Christophe Mazzola?
Christophe Mazzola is a cybersecurity expert, founder of the Cyber Academy and head of the GRC practice at Cresco Cybersecurity.
His objective: to make cybersecurity accessible to everyone.
A speaker, author, and CISO, he supports companies and institutions in a pragmatic approach to digital security, at the crossroads of leadership, pedagogy, and digital sovereignty.
His objective: to make cybersecurity accessible to everyone.
A speaker, author, and CISO, he supports companies and institutions in a pragmatic approach to digital security, at the crossroads of leadership, pedagogy, and digital sovereignty.
