France Data Leaks 2025: The Digital Hall of Shame
Table of Contents
- The 2025 Leaks Podium - France Category
- Analysis: Why France Remains a Digital Sieve
- Cumulative 2024-2025 Tally
- How to Protect Yourself
- Conclusion: The Urgency of a National Response
- Related Articles
"Bouygues Telecom, Pass'Sport, Reduction-Impots.fr: in 2025, 12 million additional French citizens saw their personal data vanish into the wild. The 'Leaks Awards' is a ranking no company wanted to win."
The year 2025 confirms an alarming trend: France remains a digital sieve. While promises of cybersecurity strengthening multiply, three major leaks made headlines, exposing the data of millions of citizens.
This grim ranking, ironically dubbed the "Leaks Awards 2025" by the cybersecurity community, highlights the persistent failure of data protection in France.
The 2025 Leaks Podium - France Category
Bouygues, Pass'Sport, Reduction-Impots: the top 3 digital scandals of 2025.
1st Place: Bouygues Telecom - 6.4 Million Accounts
Date: August 2025 Victims: 6.4 million subscribers Data exposed: Name, surname, address, phone, email, contract data, potentially IBAN
What Happened
In the middle of August, while France was on vacation, Bouygues Telecom suffered one of the largest leaks in the history of French telecoms. 6.4 million customer accounts were compromised, nearly half of the operator's subscriber base.
The Attack
According to initial findings:
- Exploitation of a vulnerability in the customer management system
- Massive data extraction over several weeks
- Listed for sale on dark web forums for €50,000
Risks for Victims
| Risk Type | Level | Explanation |
|---|---|---|
| Targeted phishing | Critical | Hackers know your operator and can impersonate Bouygues |
| Bank fraud | Critical | If IBAN exposed, fraudulent direct debits possible |
| Identity theft | High | Sufficient data to open lines in your name |
| SIM swapping | High | Risk of number theft to bypass 2FA |
What to Do If You're a Bouygues Customer
- Check your bank statements - Dispute any suspicious direct debit
- Change your password on Bouygues and any account using the same one
- Enable SMS alerts for all bank transactions
- Be wary of calls claiming to be from Bouygues
- Contact your bank to strengthen direct debit security
2nd Place: Pass'Sport - 3.5 Million Households
Date: December 2025 Victims: 3.5 million households (including data of minor children) Organization: Ministry of Sports Data exposed: Parents' identity, children's data, addresses, family situation, income
What Is Pass'Sport?
Pass'Sport is a €50 government subsidy for low-income families to fund children's enrollment in sports clubs. Launched in 2021, it covers millions of low-income families.
The Exceptional Severity of This Leak
This leak is particularly concerning because it exposes:
- Data of minor children: names, surnames, dates of birth
- Financial situation of families: only eligible households (low income) are affected
- Complete addresses of households with children
- Family relationships: who the parents and children are
Warning: Children's data on the dark web is particularly dangerous because it can be used for identity theft that won't be discovered until years later, when the child reaches adulthood.
The Irony
The Ministry of Sports, supposed to promote the well-being of young people, failed to protect their most sensitive data. A failure that raises questions about the cybersecurity of all government ministries.
Specific Risks
| Victim | Risks |
|---|---|
| Children | Long-term identity theft, fraudulent records |
| Parents | Targeted phishing, benefit fraud in their name |
| Families | Targeted burglaries (addresses + indication of low income) |
What to Do If You Used Pass'Sport
- Monitor your children's mail - any suspicious administrative correspondence
- Check records: request access to the FICOBA file for adult children
- Prepare to contest any fraudulently opened debt or credit
- Document: keep a record of your Pass'Sport registration to prove the leak
- File a complaint if you discover fraudulent use
3rd Place: Reduction-Impots.fr - 2 Million French Citizens
Date: Spring 2025 Victims: 2 million users Data exposed: Identity, income, assets, tax optimization strategies, bank details
A Treasure Trove for Fraudsters
Reduction-Impots.fr is a tax optimization advisory platform. Its users share their most sensitive financial information to optimize their taxes. This leak is a goldmine for criminals:
- Detailed income of victims
- Real estate and financial assets
- Complete bank details
- Tax vulnerabilities (tax optimization schemes = available funds)
Victim Profile
Users of tax optimization sites are typically:
- Taxpayers with medium to high incomes
- Owning significant assets
- Having available savings to invest
In other words: ideal targets for sophisticated financial scams.
Scams to Expect
- Fake tax advisors proposing "investment opportunities"
- Tax authority impersonation demanding "regularizations"
- Blackmail about tax situations (even legal ones)
- CEO fraud targeting identified entrepreneurs
- Fake inheritances requiring "fees"
What to Do If You Used This Service
- Alert your bank about fraud risk
- Never respond to phone or email solicitations about your taxes
- Verify the identity of any advisor through official registers (ORIAS, AMF)
- Be wary of "exclusive" or "urgent" opportunities
- Report any suspicious contact to the DGCCRF
Special Mention: Michelin - Cl0p Ransomware
Date: November 2025 (exploited since August 2025) Attacker: Ransomware group Cl0p Vector: Oracle E-Business Suite zero-day vulnerability (CVE-2025-61882) Data exposed: Internal documents, manufacturing files, engineering research, financial data, supplier contracts
A Global-Scale Attack
Michelin was part of a massive campaign by the Cl0p group that hit approximately 100 international organizations: Canon, Mazda, Estée Lauder, Broadcom, Harvard University...
The group exploited a zero-day flaw in Oracle E-Business Suite (CVSS score 9.8/10) enabling arbitrary code execution without any authentication.
What Was Compromised at Michelin
| Data Type | Detail |
|---|---|
| Internal documents | Manufacturing files, engineering R&D |
| Logistics data | Supply chain documentation |
| Financial data | Accounting records, contracts |
| Operational data | Oracle ERP modules |
Exposure of personal data (customers/employees) has not been officially confirmed, but Cl0p issued an extortion threat with data publication.
Special Mention: Mondial Relay - 2.2 Million Customers
Date: December 23, 2025 Victims: 2.2 million French customers Data exposed: Name, surname, email, postal address, phone, parcel numbers, dates of birth (~700,000 people) Dark web price: ~$5,000
The Christmas Attack
During the holiday season, the parcel relay delivery giant suffered a massive cyberattack. The alert was raised by cybersecurity researcher @seblatombe on X.
Compromised Data
| Type | Status |
|---|---|
| Name, surname, address | Stolen |
| Email, phone | Stolen |
| Parcel/order numbers | Stolen |
| Dates of birth | ~700,000 people |
| Bank details | Not affected |
| Passwords | Not affected |
Conforama - 9.4 Million Customers
Date: February 1, 2025 Victims: 9.4 million customers Data exposed: Name, surname, email, phone, postal address, purchase history
The furniture giant suffered one of the largest leaks of 2025. Data from 9.4 million customers was stolen and listed for sale on dark web forums.
FFF (French Football Federation) - 3 Million People
Date: February 24, 2025 Victims: 3 million licensees and members Data exposed: Identity, address, email, phone, license number, payment information
The French Football Federation, the country's largest sports federation, saw the data of 3 million people compromised. Like Pass'Sport, this leak affects many children and teenagers licensed in football clubs.
Chronopost - 210,000 Customers
Date: January 29, 2025 Victims: 210,000 customers Data exposed: Name, surname, address, phone, email, delivery data
The express carrier confirmed a leak affecting 210,000 customers. Risks include targeted delivery scams and phishing.
Kiabi - 20,000 IBANs Exposed
Date: January 7, 2025 Victims: 20,000 customers (bank data) Data exposed: Name, surname, address, complete IBAN
Unlike other leaks, this one is particularly serious because it involves complete bank details. IBANs allow direct fraudulent debits.
Autosur - 10 Million License Plates
Date: March 31, 2025 Victims: 10 million vehicles Data exposed: License plates, vehicle inspection data, owner information
The vehicle inspection network suffered a massive leak exposing 10 million license plates with associated data.
Ircantec - 70,000 Members
Date: February 13, 2025 Victims: 70,000 members Organization: Supplementary pension fund for non-permanent government employees Data exposed: Identity, Social Security numbers, pension data
Ministry of the Interior - 16-17 Million Records (Alleged)
Date: December 2025 Alleged victims: 16-17 million citizens Status: Under investigation
In December 2025, cybercriminals claimed possession of 16 to 17 million records from the Ministry of the Interior's systems. Investigation ongoing.
OFII (French Office of Immigration) - 2.1 Million Records
Date: November 2025 (claimed January 2026) Victims: 2.1 million foreigners in France Attacker: Cybercriminal "Marak" Data exposed: Full identity, foreigner number, nationality, immigration status
Why This Leak Is Particularly Serious
Vulnerable Population: Victims are people in immigration situations, often in sensitive administrative procedures. This data can be used for:
- Identity theft: Creating fake immigration documents
- Blackmail: Threats of denunciation or interference with procedures
- Targeted scams: Fake lawyers, fake migrant assistance services
- Discrimination: Identification and targeting of people by nationality
- Administrative fraud: Diversion of benefits or rights
FFTir (French Shooting Federation) - 274,000 Licensees
Date: October 18-20, 2025 Victims: 274,000 licensed sport shooters Data exposed: License number, civil status, postal address, email, phone
The Specific Risk: Targeting Legal Firearms Owners
Critical Alert: Unlike other leaks, this one identifies legal firearm owners. Criminals can target these homes to steal weapons.
"Suspicious reconnaissance" has already been reported to law enforcement following this leak.
Reported Scams
- Fake police officers asking to "collect your firearms"
- Administrative impersonation with rehearsed scripts
- Intrusion attempts under the pretext of inspection
Ubisoft - 500 GB of Internal Data
Date: 2025 Victims: Ubisoft and potentially employees/gamers Data exposed: Source code, internal documents, development data
Analysis: Why France Remains a Digital Sieve
Budget 2-3 times lower than other countries: France learns nothing.
Chronic Underinvestment
| Country | Cybersecurity budget (% GDP) | Major incidents 2024-2025 |
|---|---|---|
| France | 0.03% | 15+ |
| Germany | 0.05% | 4 |
| United Kingdom | 0.07% | 6 |
| United States | 0.10% | 8 |
France invests two to three times less than its peers in digital protection.
The Multiplication of Subcontractors
Each leak reveals the same problem: data passes through numerous service providers, each being a potential weak link.
Citizen → Service (Pass'Sport) → Provider A → Subcontractor B → Host C
↓
Potential leak point
The Absence of Deterrent Sanctions
Despite GDPR, fines remain low compared to profits:
- Average CNIL fine: €150,000
- Cost of serious compliance: €500,000 to €2M
- Companies' calculation: Paying the fine is cheaper than protection
Cumulative 2024-2025 Tally
Over 145 million files exposed in 2 years: every French citizen multiple times.
| Year | Major Leaks | Estimated Total |
|---|---|---|
| 2024 | France Travail, Viamedis/Almerys, Free, SFR, CAF, Boulanger | ~100M records |
| 2025 | Conforama (9.4M), Bouygues (6.4M), Pass'Sport (3.5M), FFF (3M), Mondial Relay (2.2M), OFII (2.1M), Reduction-Impots (2M), FFTir (274K), Chronopost, Kiabi, Autosur (10M plates), Ircantec, Ministry of Interior (16M?), Ubisoft, Michelin | ~47M+ people + industrial data |
Over 145 million files exposed in less than two years
Every French citizen is now statistically affected by multiple leaks.
How to Protect Yourself
HaveIBeenPwned, password managers, 2FA: your immediate protection plan.
Immediate Actions
- Check your data on HaveIBeenPwned
- Change your passwords - use a manager (Bitwarden, 1Password)
- Enable two-factor authentication everywhere possible
- Freeze your credit file if you suspect identity theft
Continuous Monitoring
- Bank alerts on all transactions
- Monthly verification of your statements
- Annual check of the FICP file (Banque de France)
- Vigilance on administrative mail and emails
In Case of Confirmed Fraud
- File a complaint (police station or online pre-complaint)
- Report on Cybermalveillance.gouv.fr
- Contact the CNIL for your rights
- Contest fraudulent direct debits through your bank
Conclusion: The Urgency of a National Response
The "Leaks Awards 2025" are no joke. They are the symptom of a systemic crisis in French cybersecurity.
Three lessons are clear:
- No sector is spared: telecoms, government, financial services
- The most sensitive data leaks: children, income, assets
- France does not learn from its past mistakes
Pending a political response commensurate with the challenge, every citizen must adopt a posture of systematic distrust: your data has probably already been compromised. Act accordingly.
This article will be updated as more information about these leaks emerges. Last update: December 2025.