Secureholiday (Ctoutvert): 41,577 Dutch campers affected
Ctoutvert (Secureholiday) confirms a breach affecting 41,577 Dutch campers. No IBANs or cards leaked, but emails, phone numbers and stay dates exposed and used for targeted fraud.
Key update — 15 July 2026: Ctoutvert, operator of the Secureholiday platform, confirmed an exfiltration exposing booking data of 41,577 Dutch campers. Fraudsters are leveraging stay details to send highly convincing phishing emails and make calls.
What happened
- Who: Ctoutvert, with Secureholiday used by roughly 500 campsites across Europe.
- What: Customer data exfiltration followed by phishing using precise booking details.
- Where: Campsites mainly in France, Spain and Italy; victims identified in the Netherlands (customer ecosystem also in BE, DE, LU).
- When: Intrusion discovered on 28 February 2026; public confirmation on 15 July 2026; fraud reports in July 2026.
- Data exposed: Name, email, phone, booking details and stay dates. Ctoutvert says no payment or bank data were involved.
Legal framework
The GDPR requires appropriate security (Article 32), notification to the Supervisory Authority within 72 hours of becoming aware (Article 33), and communication to data subjects in case of high risk (Article 34). In cross‑border SaaS, coordination and the one‑stop‑shop mechanism are key. See the relevant GDPR obligations for controllers and processors.
For Luxembourg operators within NIS 2 scope, obligations cover risk management, supply‑chain security and incident notification, under national supervision. See the scope and implications on NIS 2 Luxembourg.
What this means for Luxembourg businesses
- Summer risk window: Holiday bookings enable scams timed to arrival/return dates.
- Supply‑chain exposure: Booking providers, CRMs, payment engines and call centers are critical attack paths even without card data leakage.
- Response clock: Once a breach is “known,” the GDPR timer starts (72 h to authority; notify individuals if high risk).
Action checklist for this week
- Map booking/CRM dependencies: Inventory all flows (APIs, exports, SFTP, emails), verify logging, MFA and segmentation; document Article 32 GDPR and NIS 2 Article 21(2)(d) controls.
- Post‑booking fraud playbook: 24‑hour customer notices, block look‑alike domains, DMARC reject, SOC alerting on keywords, call‑center scripts.
- DLP and monitoring: Enable email/CRM DLP, watch for leaked booking lists, revoke compromised tokens/APIs. Strengthen dark web monitoring for early exposure detection.
- Processor contracts: Article 28 GDPR clauses (24–48 h notices, logging, encryption, resilience, data purge), aligned with NIS 2 and DORA if applicable.
- Customer communications: Signed SMS/emails, public info page, clear FAQ, out‑of‑band authentication guidance, dedicated hotline for imminent stays.
- Notification dry‑run: Prepare the authority dossier (context, data categories, volumes, remedial actions, risks, mitigation) and an Article 34‑compliant customer notice.
Sources
- EenVandaag, NL Times and Cybernews corroborate the scope and nature of the exposed data.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →