The boss suggested we take a look at France’s cybersecurity record, and frankly, the view is not pretty. Since early 2024, France government data leaks have reached a scale that would be difficult to believe if the numbers weren’t confirmed by the country’s own regulators. Employment records, health insurance files, bank accounts, hospital charts, sports federation memberships: all breached, all exposed, all adding up to a portrait of systemic failure.
Here is what happened, what it means for ordinary citizens, and why the trend is only getting worse.
France Government Data Leaks: The Scale of the Problem
In February 2024, two healthcare payment processors, Viamedis and Almerys, suffered breaches that exposed the data of 33 million people, nearly half the population. Names, dates of birth, social security numbers, and health insurance details were all compromised. Former CNIL secretary general Yann Padova called it “the biggest security breach in France” at the time. That record did not last long.
One month later, France Travail (the national employment agency, formerly Pôle Emploi) disclosed that hackers had stolen the personal details of up to 43 million people. The attackers used social engineeringThe practice of manipulating people through deception, false identities, or manufactured scenarios to gain access, information, or trust. Often exploits psychological vulnerabilities rather than technical flaws. to hijack accounts belonging to CAP Emploi advisers and accessed twenty years’ worth of job seeker records: names, dates of birth, social security numbers, email and postal addresses, phone numbers. The intrusion ran from February 6 to March 5, 2024, before being detected.
In September 2024, researchers discovered an exposed Elasticsearch server containing 95 million records from at least 17 separate French data breaches, compiled by an unknown actor into a single 30-gigabyte database. For reference, the population of France is about 68 million.
When stolen data becomes a weapon
Most breaches lead to phishing emails and identity theft attempts. The hack of the French Shooting Federation (FFTir) in October 2025 led to something far more dangerous.
Attackers stole records on one million individuals, including 250,000 current license holders and 750,000 former members. The data included names, addresses, phone numbers, and membership details. Crucially, while the federation did not store information about specific firearms, it is public knowledge in France that licensed shooters often keep weapons at home.
Within weeks, criminals began using the leaked data as a target list for burglaries. In Nice, two fake police officers stole firearms and ammunition from a sport shooter. In Limoges, masked individuals took two pistols and 500 rounds from a former bodyguard’s home. In the Rhone region, a competitive shooter was tied up by armed men who forced him to open his gun safe, making off with nine firearms, 1,300 rounds, and a large sum of cash.
French authorities arrested an 18-year-old suspect in January 2026, believed to have orchestrated the hack and sold the data on criminal forums.
The hits keep coming: hospitals, banks, telecoms
In November 2024, a cyberattack on a French hospital exposed the medical records of 758,912 patients, including prescriptions, health card histories, and personal details. The threat actor claimed access to patient records across multiple hospitals, totaling over 1.5 million people.
In October 2024, telecom provider Free (and its subsidiary Free Mobile) was breached, exposing data on 24 million subscriber contracts, including bank account numbers (IBANs). The companies received over 2,500 complaints and were fined a combined €42 million by the CNIL in January 2026.
In late January 2026, an attacker accessed France’s national bank account registry (FICOBA), a database operated by the tax authority that records every bank account opened in the country. The intruder used stolen civil servant credentials to access data on 1.2 million accounts, including IBANs, holder names, addresses, and tax identifiers. The full database holds records on 300 million accounts belonging to 80 million individuals.
What you can do
If you live in France, here are practical steps:
- Check your accounts weekly. Look for unauthorized direct debits or unfamiliar transactions.
- Be suspicious of calls and emails. Scammers are using stolen data to impersonate police officers, bank agents, and government officials. Real authorities will never call you to “secure” your weapons or “verify” your bank details over the phone.
- Change passwords on any service that has disclosed a breach, and do not reuse passwords across services.
- Monitor your credit. With social security numbers and IBANs in the wild, identity theft and fraudulent account openings are real risks.
- File complaints. You can report incidents to the Paris prosecutor’s office or directly to the CNIL.
The uncomfortable truth is that with an average of about 10 data breaches per French citizen, your data is very likely already out there. The question is no longer whether you’ve been affected, but how many times.
The boss suggested we take a hard look at France’s cybersecurity posture, and the findings are damning. Since early 2024, France government data leaks have escalated from a chronic problem into a full-blown crisis, exposing structural weaknesses across government agencies, healthcare infrastructure, financial systems, and the regulatory apparatus meant to prevent exactly this.
France Government Data Leaks: A Timeline of Systemic Failure
The cascade began in late January 2024, when healthcare payment processors Viamedis and Almerys were breached through a phishing attack that compromised health professionals’ credentials. The resulting exposure affected 33 million people, nearly half the French population, compromising social security numbers, insurance details, and civil status data. Former CNIL secretary general Yann Padova described it as “the biggest security breach in France.”
That assessment was outdated within weeks. Between February 6 and March 5, 2024, attackers compromised France Travail (the national employment agency) via social engineeringThe practice of manipulating people through deception, false identities, or manufactured scenarios to gain access, information, or trust. Often exploits psychological vulnerabilities rather than technical flaws., hijacking CAP Emploi adviser accounts to access 20 years of job seeker data. The CNIL confirmed up to 43 million individuals were affected. The CNIL’s subsequent investigation found that authentication procedures were insufficiently robust, logging measures were inadequate to detect anomalous behavior, and access authorizations were far too broad. Most damningly, the CNIL noted that France Travail had identified the appropriate security measures in its own impact assessments but had simply never implemented them.
France Travail was fined €5 million in January 2026, with the CNIL citing “ignorance of essential security principles.” The agency went on to suffer seven additional data breaches in 2025 alone.
The aggregation problem
Individual breaches are damaging. Their aggregate effect is catastrophic. In September 2024, researchers discovered an exposed Elasticsearch server containing 95,350,331 records from at least 17 separate French data breaches, compiled into a single 30.1-gigabyte database by an unknown threat actor. The compilation included data from telecoms, e-commerce platforms, social media, and more.
This is the real danger: individual breaches are being cross-referenced and enriched. A social security number from Viamedis, combined with an address from France Travail, combined with an IBAN from Free, creates a complete identity profile that enables sophisticated fraud far beyond what any single breach would allow.
According to InCyber, citing Surfshark data, the average French citizen has been the victim of approximately 10 data breaches. France ranks first in Europe and second globally for compromised accounts, with 1.8 million accounts exposed in the first half of 2025 alone.
From cyberspace to physical violence: the FFTir case
The October 2025 hack of the French Shooting Federation (FFTir) illustrates a dimension of data breaches that risk models often undercount: physical-world consequences.
Attackers exfiltrated records on one million individuals, including 250,000 active license holders. Within weeks, criminals were using the data as a target list for armed burglaries. Incidents were reported across France: fake police officers stealing firearms in Nice and Paris, masked assailants tying up a shooter in the Rhone region and forcing open his gun safe, a theft in Limoges targeting a former bodyguard. The Paris prosecutor’s office confirmed that the stolen data had been used to commit burglaries in which weapons were stolen.
An 18-year-old suspect was arrested in January 2026, charged with orchestrating the hack and selling the data on cybercriminal forums and Telegram. The case raises serious questions about data retention: the federation held records on 750,000 former members, many of whom had let their licenses lapse years earlier. Under GDPR, organizations are expected to delete data no longer needed for its original purpose.
Government infrastructure under fire
The breaches have not spared core government systems. In late January 2026, an attacker accessed FICOBA, France’s national bank account registry, by impersonating a civil servant whose credentials allowed inter-ministerial database queries. The Ministry of Economy disclosed that 1.2 million accounts were exposed, including IBANs, holder names, and tax identifiers. The database, operated by the Directorate General of Public Finances (DGFiP), contains records on approximately 300 million accounts belonging to 80 million individuals.
Healthcare infrastructure has been equally vulnerable. In November 2024, a breach via the MediBoard electronic patient record system exposed 758,912 patient records at a French hospital, including prescriptions and health card histories. The threat actor claimed access to patient data at multiple hospitals totaling over 1.5 million individuals. In October 2024, Free and Free Mobile were breached, exposing 24 million subscriber contracts including IBANs. The CNIL found the companies had failed to implement basic VPN authentication measures and lacked effective anomaly detection.
The pattern extends to municipalities. Countless town halls have been affected: Quimper, Brest, Chatou, Alfortville, Saint-Aubin d’Aubigné, plus the Synbird breach, which impacted an online civil-status appointment system used by 1,300 municipalities. Sports federations have been hit across the board: shooting, football, handball, table tennis, dance, archery, climbing.
The regulatory response: too little, too late?
The CNIL has escalated its enforcement. In 2024, it issued 87 sanctions totaling €55.2 million, double the number from the previous year. In 2025, it issued 83 sanctions totaling €486.8 million, nearly nine times the 2024 figure. The jump was driven primarily by two massive cookie consent fines (€325 million and €150 million against unnamed major players, widely reported as Google and Shein), but data security breaches remained a central enforcement theme.
The question is whether fines are calibrated to drive change. France Travail, a public agency funded by social security contributions, was fined €5 million for exposing 43 million records. Free and Free Mobile, subsidiaries of the Iliad group, were fined €42 million for exposing 24 million. These amounts, while significant in absolute terms, may not represent sufficient deterrent for organizations processing data at this scale.
One structural critique, raised by Numerama founder Guillaume Champeau and reported by InCyber, is that the CNIL has been too slow to sanction data security failures specifically. “The GDPR has become a joke for data controllers,” Champeau said. “Instead of sending the message that data needed to be protected, the message sent was that you could just not care.”
Root causes and structural vulnerabilities
The recurring patterns across these breaches point to systemic rather than incidental failures:
- Weak authentication. France Travail’s CAP Emploi accounts, Free’s VPN access, and FICOBA’s inter-ministerial credentials all lacked multi-factor authenticationA security method requiring two or more independent identity checks, such as a password plus a one-time code, before granting access to a system. or robust access controls.
- Excessive data retention. France Travail held 20 years of records. The FFTir retained data on 750,000 former members. Free Mobile kept subscriber data without implementing legally required purging.
- Chronic underinvestment. According to cybermalveillance.gouv.fr, 77% of elected officials and local authority agents spend less than €2,000 on cybersecurity.
- Inadequate anomaly detection. Both France Travail and Free lacked effective systems for detecting abnormal access patterns, allowing attackers to operate for extended periods before detection.
The combination of vast centralized databases, weak access controls, and minimal monitoring creates a target-rich environment that threat actors are exploiting with increasing sophistication. France’s position as the top data-breach country in Europe is not the result of bad luck. It is the result of policy choices, budget priorities, and a regulatory framework that is only now beginning to match the scale of the problem.
