Campers exposed in Secureholiday data breach defrauded, thousands of dollars lost
Did you recently book a camping site in France?

Image by Cybernews
- Hackers stole personal data from nearly 42,000 reservations across about 500 campsites.
- Ctoutvert said the breach exposed names, emails, destinations, booking dates, and payments, but not banking details.
- Scammers used stolen details in convincing phishing emails; at least 14 campers were defrauded.
- The attack adds to rising cybercrime against travel firms, increasing risks for tourists and operators.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Secureholiday, a website where tourists can book their holidays, has been targeted by hackers who stole the personal information of 41,577 Dutch travelers from 500 campsites, primarily in France, Italy, and Spain.
Manuel Mirabel, CEO of Ctoutvert, the French parent company responsible for developing the booking system, confirmed the data breach to Dutch news outlet EenVandaag.
According to a press release, IT workers from Ctoutvert detected an attack on February 28th, allowing hackers to gain access to a single establishment. The unauthorized access was immediately stopped by blocking the IP address on the same day the breach was identified.
Two days later, Ctoutvert confirmed that a data breach had occurred. The breach affected approximately 500 campsites and involved a portion of the reservations made between October 2025 and the end of February 2026.
The exfiltrated data includes names, email addresses, travel destinations, booking dates, and the amounts paid. No payment card or banking information was put in jeopardy.
A total of 41,577 Dutch reservations were compromised in the attack. In addition, more than half of all affected customers are French. Ctoutvert wouldn’t answer questions about the exact number of victims. All affected travelers have been informed of the incident.
According to the developer of the reservation and marketing software, the security issue that led to the breach was patched the same day the hack was discovered. However, a large group of unsuspecting campers received phishing emails in May and June.
They were asked to confirm their reservation via credit card. Because the message contained personal details, it looked genuine. Ultimately, the request for credit card details raised suspicions, prompting them to contact the campsite to inquire. At least 14 campers have been scammed, including 6 customers from the Netherlands.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
Recently, there have been more attacks on the tourist industry. In June, dozens of hotels in Belgium, Ireland, and the Netherlands were targeted by an unknown threat actor who stole customer data and reservation information.
Victims were flooded with phishing attempts to trick them into transferring money to scammers’ bank accounts, causing thousands of euros in damages in some cases.
Around the same time, ransomware extortion group ShinyHunters published the personal information of nearly 400,000 customers of Dutch business travel agency BCD Travel on the dark web.
In April 2026, online travel agency Booking.com fell victim to a data breach. A lot of personal details were exposed, including names, email addresses, phone numbers, residential addresses, and other information customers may have shared with the accommodation.
In October 2025, Dutch travel agency Sunweb Group confirmed that an unauthorized party managed to steal the personal information of an undisclosed number of clients.