An online ticketing platform, Vivaticket, which serves thousands of organizations across 50 countries, including the Musée du Louvre and other French national cultural sites, was hit with a ransomware attack in early March, disrupting online reservations.
The attack, which reportedly took place on March 2nd, impacted approximately 3,500 European museums and monuments. Vivaticket is one of the largest providers of ticketing solutions and manages approximately 850 million tickets annually.
The RansomHouse ransomware group claimed responsibility for the breach, which reportedly occurred through Irec SAS, a French subsidiary of Vivaticket.
The group, believed to be closely tied to the Russian-speaking ransomware ecosystem, posted a message on its data-leak site, stating that Irec SAS covered up the incident: “We strongly recommend that you contact us to prevent your confidential data and project documents from being disclosed.”
The attackers claim to have stolen confidential documents, with potentially compromised data including:
- Full names and surnames
- Email addresses
- Purchase history and reservation details
- Country of residence and postal codes
- Account metadata and login timestamps
According to Vivaticket, there is currently no evidence that financial data, such as banking information or credit card details, has been accessed. The French Ministry of Culture explained that “financial impact is currently being assessed by each institution” as it’s “not yet known.”
As a result of the breach, many museums couldn’t access secure online ticketing, including the Musée du Louvre, the Musée d’Orsay, the Musée du Quai Branly, Notre-Dame de Paris, the Arc de Triomphe, and the Eiffel Tower. Several European venues were forced to shut down their booking systems, potentially impacting millions of users – and some online ticketing reportedly remains unavailable.
Vivaticket is currently working with the French National Cyber Security Directorate (ANSSI) and other law enforcement agencies to assess the scope of the attack. Affected organizations are also contacting their customers to notify them about the breach and the potential exposure of personal information.
Ransomware and data privacy expert Dr. Darren Williams, Founder and CEO of BlackFog, shared with Cybernews that the incident serves as a reminder to organizations that it’s not enough to secure your own perimeter – it’s also important to oversee third-party vendors.
“This incident reinforces how attackers are exploiting trusted third-party providers to access concentrated pools of customer data. By compromising a ticketing service, the threat actor bypassed the primary organization and gained access to identity-rich information, enabling potential data exfiltration at scale.
“This reflects a broader trend where ransomware operations prioritize data theft over disruption, using stolen personal data for extortion or follow-on phishing campaigns.
“The takeaway is clear: organizations must extend security controls beyond their own perimeter and treat vendor ecosystems as part of their attack surface. Continuous monitoring of outbound traffic is critical to detect and stop data exfiltration in real time.”
Unlock more exclusive Cybernews content on YouTube.
