Vivaticket is coordinating with the French National Cyber Security Directorate and law enforcement to assess the breach, while impacted organizations are notifying customers about potential personal data exposure.

This incident highlights how a ransomware attack on a shared third‑party ticketing platform can disrupt customer‑facing services across thousands of institutions and elevate data risk for users.

The ransomware attack disrupted reservations for about 3,500 European museums and monuments in early March 2026, including major sites such as the Louvre and Orsay.

Direct impacts include outages in secure online ticketing at institutions like the Louvre, Orsay, Quai Branly, Notre-Dame de Paris, the Arc de Triomphe, and the Eiffel Tower, with some venues temporarily closing booking systems.

Affected venues faced outages that blocked tourism sites from processing bookings, affecting museums and landmarks across Europe.

Attackers claimed access to identity‑rich data, though there is no evidence that banking or credit card information was accessed.

Stolen data reportedly includes full names, email addresses, purchase history, country and postal codes, and login timestamps, with no confirmed breach of financial details.

Security experts warn about the risk from third‑party vendors and urge ongoing monitoring of vendor ecosystems and outbound traffic to detect data exfiltration in real time.

CISOs should act: (1) review concentration of third‑party dependencies, (2) scope which reservation data could be exposed, and (3) coordinate customer notification with service restoration for rapid recovery of booking channels.

The RansomHouse group claimed responsibility, saying the entry point was Irec SAS, a French subsidiary of Vivaticket, and alleging theft of confidential documents including names, emails, reservation details, and account metadata.

RansomHouse also alleged that Irec SAS attempted to conceal the incident by contacting victims to prevent data disclosure.

France’s Ministry of Culture said financial impact is still being assessed and the overall scope of the breach is under evaluation.