Croq’Vacances Data Breach: 24GB of Sensitive Medical and Personal Data Leaked

0 comments

Data Breach at Croq’Vacances: Thousands of Individuals Impacted by Exposure of Sensitive Files

A significant data breach at the French summer camp organizer Croq’Vacances has resulted in the exposure of thousands of personal records. An unauthorized party published 24 gigabytes of sensitive data on a darknet forum, including BAFA camp counselor CVs, government-issued identification documents, and medical certificates for minors containing details on allergies and ongoing medical treatments.

Scope of the Exfiltration and Compromised Accounts

The leaked database contains 72,916 individual files, according to findings reported by cyber-intelligence monitors. This archive includes 71,181 contact records and 9,021 job applications. Beyond personal identification, the breach compromised more than 69,000 hashed passwords—secured via the bcrypt algorithm—and 25 administrative accounts.

The exposure of administrative credentials presents a heightened risk, as these accounts provide access to the platform’s back-office. Unauthorized access to these systems allows for the potential modification of holiday bookings, the viewing of payment histories, and the extraction of additional sensitive information.

Medical Privacy and Long-Term Risks for Families

The inclusion of medical certificates for children is a primary concern for data privacy experts. These documents often detail private health information, such as allergies, ongoing treatments, and family history. Under the General Data Protection Regulation (GDPR), such information is classified as highly sensitive.

The unauthorized disclosure of this health data poses long-term risks, including identity theft and potential future discrimination. Information regarding a child’s medical history could be exploited by data brokers or malicious actors to influence future insurance premiums or employment opportunities, as these records may remain in circulation on darknet marketplaces indefinitely.

How the Massive Equifax Data Breach Happened

Regulatory Response and Compliance

Croq’Vacances has confirmed that it is addressing the incident. A company spokesperson stated that internal teams, supported by cybersecurity experts, are currently working to secure the affected systems and assess the full extent of the data exposure. The organization has confirmed it is in contact with the Commission Nationale de l’Informatique et des Libertés (CNIL).

Under the GDPR, organizations are legally mandated to notify the CNIL of a personal data breach within 72 hours of discovery. Companies are also required to directly inform affected individuals if the breach poses a “high risk” to their rights and freedoms. Croq’Vacances has not publicly disclosed the exact date the intrusion was detected or confirmed if the 72-hour notification window was met.

Structural Vulnerabilities in Tourism Platforms

The Croq’Vacances incident highlights a broader security challenge within the tourism and hospitality sector. Unlike the banking or insurance industries, which are often subject to more stringent, standardized cybersecurity requirements, many mid-sized tourism platforms manage a high volume of heterogeneous data—ranging from financial details to medical records—without equivalent technical infrastructure.

Security analysts point to the lack of access segmentation as a critical failure. In this instance, the exposure of 25 administrative accounts suggests that the platform’s system design allowed for broad, unrestricted access to the entire client database. In a secure architecture, administrative privileges are typically segmented to ensure that no single account holds the authority to access all sensitive categories of user information. This practice remains a recurring vulnerability for organizations that prioritize operational efficiency over granular access control.

Related Posts

Leave a Comment