Data Breach: the Great Hemorrhage

It’s a festival! Announcements of data breaches have been multiplying since early 2025, to the point where one wonders whether France will end up becoming the world’s No. 1 in the field. According to Cybernews, the country is already No. 1 in Europe and No. 2 worldwide. “France alone accounts for 1.8 million compromised accounts between January and June 2025 and is second in the world behind the United States,” the online outlet laments… Not to mention that since the summer, the dark streak has only intensified.
A ranking that keeps progressing, with France oscillating between 9th and 3rd place since 2020, depending on the institutes and companies producing these barometers. Surfshark, a cybersecurity solutions vendor, ranked France only 7th in the first quarter of 2025. Although the scope of these various studies may vary, the figure is nonetheless alarming. “The signal is all the more striking as the global volume of hacked accounts is collapsing at the same time: 15.8 million in the first half of 2025, twenty times less than in the first half of 2024, according to Cybernews’ Personal Data Leak Checker,” our colleagues note.

Some massive breaches are the subject of controversy, such as the one that allegedly hit ANTS, the National Agency for Secure Documents — in other words, the database that notably hosts our national identity cards. On September 19, cybersecurity researcher Clément Domingo, known as SaxX, “confirmed that a database concerning 12.7 million French citizens’ civil status had been hacked.” The one who presents himself as “a good hacker” claimed to have been in contact with the cybercriminals and to have “been able to consult said database entirely yesterday and pass it on to the appropriate authorities.”

The CNIL under scrutiny

“The CNIL is not fulfilling its role enough!” he also lamented. Indeed, it is the responsibility of the Commission nationale de l’informatique et des libertés to ensure proper data security — an area in which it “almost never issues sanctions […] The GDPR has become a joke for data controllers. Instead of sending the message that data needed to be protected, the message sent was that you could just not care,” said Guillaume Champeau, founder of the media Numerama. More troubling, he also pointed out that the CNIL had dismissed a complaint identifying vulnerabilities at ANTS, a case that had reached the Conseil d’État.
Despite this avalanche of criticism, ANSSI firmly denied the claims through its director general. According to Vincent Strubel, the database SaxX refers to is “a database for sale on the dark web since at least March 2025 […] with no identified link to the ANTS databases.” The White Hat nonetheless maintains his allegations.

Other hacks, however, leave no doubt. Among those causing the most concern for their concrete consequences is undoubtedly the breach of the French Shooting Federation (FFTir) database. The 250,000 sport shooters — many of whom legally keep firearms at home — and 750,000 former licensees saw their personal data leaked on the dark web. Discovered on October 20, the hack is believed to have occurred the previous weekend and includes license numbers, civil status, postal addresses, emails, and phone numbers of members. The Federation immediately notified the BL2C, the cybercrime unit, which is now leading the investigation.

Scams, leaks and stolen weapons

The consequences did not take long: on November 26, the Paris prosecutor’s office deplored that “this data [had] been used to commit burglaries or impersonation-based break-ins during which weapons were notably stolen.” In Nice, on November 13, two fake police officers stole weapons and ammunition from a sport shooting enthusiast. Similar attempts had failed a few days earlier in Paris and Orléans. FFTir reminded its members that law enforcement must notify individuals by letter before visiting their homes to check the storage conditions of authorized firearms.
On November 21 in Limoges, two masked individuals stole two pistols and 500 rounds from the home of a sport shooter, a former bodyguard. On November 25 in Décines-Charpieu, near Lyon, a shooter discovered the disappearance of his unbolted safe, which contained five handguns and ammunition.

However, the investigations must still determine whether these burglaries are directly linked to the data breach. Even if thieves can access the contact details of sport shooters, they are essentially operating blind, having no way of knowing whether firearms are actually present in the targeted homes. That information is stored in the “digital rack,” another database that has not (yet?) been compromised. Shooters and hunters must indeed register the firearms they possess in this Weapons Information System (SIA), managed by the Ministry of the Interior.

France Travail, the usual suspect of data leaks

Just as troubling, police officers, soldiers, gendarmes or customs officials are among the victims of this data breach. Although their high-risk profession does not appear in the stolen files, social engineering and cross-referencing of public data make their identification possible, increasing the danger for them and their families.

Not all data breaches have such severe real-world consequences, as in the case of the French Table Tennis Federation, hit last September. While the exposure of personal data of its 254,000 licensees may harm them by exposing them to phishing attempts or identity theft, the consequences in terms of traditional crime are limited, table tennis rackets being less attractive on the black market than firearms.
According to SaxX, all French sports federations and sports associations have been hacked. This is at least confirmed for those of handball (12/05), football (11/27 and 02/21), dance (11/25), archery (01/20), climbing (01/24), etc.

Other actors are accustomed to repeated leaks, such as France Travail. The agency had to admit no fewer than seven data breaches in 2025 alone: July 22, August 12, September 25, October 29 and 6, November 17 and December 1. The latest affected “1.6 million young people followed by the network of local Missions,” according to the agency. A breach that leaked a particularly complete dataset including, beyond the “classic” name, surname, date of birth, postal and email addresses, phone number, the victims’ Social Security number and their France Travail identifier. A small score for France Travail, which, in March 2024, suffered a breach potentially affecting the same data for 43 million people.

10 data breaches per French citizen

Countless town halls have been affected: Saint-Aubin d’Aubigné, Quimper, Chatou, Brest, Alfortville in November, not to mention the Synbird breach — an online civil-status appointment booking service — which impacted 1,300 municipalities. Companies are not spared either: Cuisinella, Schmidt, Leroy Merlin, all between December 1 and 5. One also recalls that Bouygues Telecom and Orange were among the victims. Médecin Direct, a teleconsultation service, was also affected on December 3, with the loss of highly sensitive medical data. In November, the Pajemploi service of URSSAF, used to declare and pay childcare workers, saw the leak of data for “up to 1.2 million employees of private employers,” the organization admitted.

The causes of the epidemic, alas, are nothing original. First, lack of awareness and chronic underinvestment in cybersecurity by companies and local authorities. One example for the latter: in November 2024, the government website cybermalveillance.gouv.fr noted, “As for the budget dedicated to cybersecurity, 77% of elected officials and agents indicate spending less than €2,000.” Human factors (lack of awareness of risks and best practices, negligence, password reuse, etc.) remain at the top of the reasons for this carnage.
The snowball effect is in full swing in a country where an “average French citizen has been the victim of a data breach about 10 times,” according to Maud Lepetit, France manager at Surfshark, and where “3% of French internet users were affected in the first half of [2025], while the United States counts about 8 affected internet users per 1,000,” according to Cybernews. Data recovered by cybercriminals is used to set up scams, which in turn help them recover even more data.
At this rate, indeed, France will end up No. 1 worldwide in data breaches. “Champion, my brother.”