I have a question about

Yes, we have a list of all affected guests and if you have been contacted, you are on this list.

- First name and surname of the main booker
- Email address
- Telephone number
- Destination (campsite)
- Holiday dates
- Travel price

Yes.

No.

Be vigilant. Do not open suspicious messages, respond to them or click on links. All contact attempts by the cybercriminals were aimed at a limited group of guests and were via WhatsApp. Roan will NEVER include a payment link in a text or WhatsApp message. We may, however, email or text you to remind you that payments for your holiday are outstanding, but these messages will ask you to go to your My Roan account on the website. Your account on the Roan website is secure and protected.

No. This does not affect your holiday in any way.

Cancelled holidays are subject to a cancellation fee in accordance with our booking conditions.

As no financial information, passwords or sensitive personal data was leaked, and because a prompt warning was given to prevent actual financial loss, we are not offering financial compensation for this incident. Our focus remains on the immediate security of your account and the integrity of our systems.

Please contact your bank immediately to explain.

Yes, we take this matter extremely seriously. We are working closely with cybersecurity experts and the relevant data protection authorities.

Yes, our databases are protected by strict security measures, including encryption of data at rest and during transmission. However, this particular incident involved unauthorised access via a vulnerability in a third-party technology provider's system, which allowed the attackers to bypass these safeguards and obtain specific booking data.

We officially discovered the incident on 17 March 2026, following initial reports to our customer service team. At that time, the breach seemed to only affect guests whose stays were due to start in March. However, on 25 March 2026, our third-party technology provider confirmed that the incident actually affected a much larger group of guests. The exact date of the initial data theft by the unauthorised third party was 16 March 2026.

After the discovery, we immediately activated a multidisciplinary crisis management team. We urgently worked with our external technology provider to conduct a forensic analysis and plug the vulnerability. In parallel, we secured our own systems by resetting passwords on partner platforms and verifying multi-factor authentication (MFA) at all critical access points.

The source of the incident in our partner's system has been definitively identified and blocked. We are continuing the thorough forensic investigation together with cybersecurity experts to ensure that no 'back doors' remain open. We have also proactively notified the relevant data protection authorities to comply with our legal obligations.