Cyber Incident Victim: Pierre & Vacances-Center Parcs Group
Date:
Jun 2025
Location:
France
Summary
Center Parcs detected an intrusion targeting its telephone reservation system, leading to the exposure of personal data for approximately twenty thousand clients across Europe. The compromised information included names, email addresses and reservation details such as location and stay duration, while financial data, passwords, phone numbers and postal addresses were not accessed. The company contained the breach by suspending access to the affected system, notified the French data protection authority, engaged external cybersecurity experts and implemented technical remediation measures, with an ongoing investigation into the attack vector and no evidence of active exploitation reported so far.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 4, 2025, Center Parcs, the holiday‑rental subsidiary of Pierre & Vacances‑Center Parcs Group, detected an unauthorized intrusion into its telephone‑based reservation system. The company immediately suspended access to the compromised system and, by June 6, had contained the incident after isolating the affected infrastructure. Following containment, Center Parcs notified the French data‑protection authority, the CNIL, of the breach in accordance with regulatory obligations. To investigate the intrusion and assess any residual vulnerabilities, the firm engaged external cybersecurity specialists and began implementing technical corrective measures aimed at strengthening the security of its reservation platforms.
The operator estimated that roughly twenty thousand customers residing in various European countries had their personal information exposed as a result of the breach. The data accessed by the attackers included names, first names, electronic mail addresses, reservation identifiers and the associated details of the booked stays, such as the cottage location and the duration of the visit. Center Parcs emphasized that no financial information, passwords, telephone numbers or civil addresses were exfiltrated during the incident. After confirming the scope of the exposure, the company proceeded to inform the affected individuals about the nature of the data that had been compromised. While noting that the stolen data set is relatively limited, Center Parcs highlighted that the combination of names, email addresses and reservation specifics could be leveraged to craft targeted phishing messages or fraudulent reservation offers.
In response to the breach, Center Parcs maintained the suspension of the affected reservation system while it deployed the previously mentioned technical corrections to remediate exploitable flaws. The external cybersecurity consultants continued their analysis to determine the exact method of intrusion, although the company has not yet disclosed whether the attack involved ransomware, an SQL injection technique, or any form of insider manipulation. As of the latest statement, Center Parcs reported that it had not observed any active malicious campaigns utilizing the stolen data, but it is evaluating the possibility of filing a formal complaint with law‑enforcement authorities to pursue the perpetrators and deter future incidents. The investigation remains ongoing, and further details about the attack vector or the full extent of the compromise will be disclosed as they become available.