Ransomware Shut Down Online Tickets for the Louvre, the Eiffel Tower, and 3,500 Other Venues

What Happened

On March 2, 2026, a ransomware attack hit Vivaticket, one of Europe's largest ticketing platforms. The attackers gained access through Irec SAS, a French subsidiary of the Italian company. Within hours, online booking systems for thousands of cultural institutions across Europe went dark.

RansomHouse, a Russian speaking ransomware group active since December 2021, claimed responsibility on its dark web data leak site. The group has victimized over 100 organizations since its founding and operates as a ransomware as a service operation, meaning affiliates rent the tools and infrastructure to carry out attacks.

The Affected Venues

The scale of disruption was extraordinary. Vivaticket serves approximately 3,500 partner organizations across 50 countries and processes around 850 million tickets annually. The attack knocked out secure online ticketing for some of the world's most visited cultural landmarks:

• Musée du Louvre
• Musée d'Orsay
• Musée du Quai Branly
• Notre Dame de Paris
• The Eiffel Tower
• The Arc de Triomphe
• Musée Guimet
• Parc Astérix
• Louvre Lens

Visitors arriving at these venues found that online reservations were unavailable. Some institutions were forced to revert to manual ticketing at the door, creating long queues and capacity management problems.

What Data Was Stolen

RansomHouse claims to have exfiltrated customer data including:

• Full names
• Email addresses
• Purchase history and reservation details
• Country of residence and postal codes
• Account metadata including login timestamps

There is one piece of good news: Vivaticket stated there is currently no evidence that banking or credit card information was accessed. Passwords also appear to have been uncompromised.

The bad news: names and email addresses are enough. Attackers can use stolen email addresses to craft targeted phishing campaigns that reference specific museum visits, making the messages far more convincing. If you received a confirmation email from any Vivaticket venue, your address may now be in criminal hands.

How They Got In

RansomHouse targeted Irec SAS, Vivaticket's French subsidiary, rather than attacking the parent company's Italian infrastructure directly. This is a common pattern in supply chain attacks: instead of breaching a well defended central target, attackers look for a weaker subsidiary or vendor that shares network access.

The same technique was used in the recent Booking.com breach that exposed customer reservation data and the France ANTS passport agency hack that put 19 million citizens' records up for sale. Subsidiaries often run older systems, have smaller security teams, and lack the monitoring capabilities of their parent organizations.

Vivaticket is working with the French National Cyber Security Directorate (ANSSI) and law enforcement to assess the full scope of the breach.

The Ransom Demand

On its dark web leak site, RansomHouse posted: "We strongly recommend that you contact us to prevent your confidential data and project documents from being disclosed." The group has not publicly stated a ransom amount, but the threat is clear: pay, or the stolen customer data gets published.

RansomHouse is known for a double extortion model. First, they encrypt systems to disrupt operations. Then, they threaten to leak stolen data if the victim does not pay. Even organizations that restore their systems from backups still face the data exposure threat. And the encryption is getting harder to break: a new ransomware operation called Kyber is using post quantum cryptography that researchers say may be permanently uncrackable.

What Visitors Should Do

If you have booked tickets through Vivaticket or any of the affected venues:

• Watch for phishing emails that reference your museum visits, ticket purchases, or Vivaticket account activity
• Do not click links in emails claiming to be from Vivaticket or any affected museum unless you can verify the sender
• Change your Vivaticket password if you used the same password on other sites
• Monitor the email address you used for Vivaticket registrations for unusual login attempts on other services

Why This Attack Matters

Vivaticket processes 850 million tickets a year. That is a database of names, emails, and behavioral patterns for hundreds of millions of people who visit cultural institutions worldwide. Even without credit card data, this breach gives attackers a rich profile of potential victims.

It also exposes a systemic risk in the cultural sector. Museums and monuments typically outsource their ticketing infrastructure to platforms like Vivaticket, concentrating millions of visitors' data in a single target. When that platform falls, every institution it serves is affected simultaneously.

For security teams, the lesson is familiar but urgent: third party risk management is not optional. The Louvre did not get hacked. Its ticketing vendor did. But the visitors whose data was stolen will not care about the distinction.