France, Digital Sieve: Over 160 Million Records Stolen in 2024-2026
Table of Contents
- The Numbers: The Scale of the Disaster
- Sector Analysis: Who Is Most Vulnerable?
- Why Is France So Vulnerable?
- International Comparison: Is France an Isolated Case?
- Consequences for Citizens
- What the Government Is (or Isn't) Doing
- How to Protect Yourself
- Detailed Scandals: Complete Articles
- Conclusion: Toward Individual Digital Sovereignty
- FAQ
- Sources
"CAF, France Travail, health insurers, hospitals, police files... In 2024, France suffered more data leaks than ever. No sector is spared. Your personal information is probably already on the dark web."
The year 2024 will go down in history as the annus horribilis of French cybersecurity. In just a few months, tens of millions of French citizens saw their personal data exposed, stolen, and put up for sale on criminal forums.
This is not an isolated phenomenon. It is a systemic failure revealing deep flaws in the protection of our most sensitive information: Social Security numbers, addresses, family situations, criminal records, health data.
This article provides a complete overview of the major cyberattacks affecting France, analyzes the causes of this vulnerability, and offers concrete solutions to protect yourself.
The Numbers: The Scale of the Disaster
Over 160 million files exposed in 2024-2026: every French person affected multiple times.
Major Leaks of 2024
| Organization | Date | People Affected | Data Stolen |
|---|---|---|---|
| France Travail | March 2024 | 43 million | Name, surname, DOB, SS#, email, phone, address |
| Viamedis/Almerys | February 2024 | 33 million | Civil status, SS#, insurer name, contract guarantees |
| Boulanger | Sept. 2024 | 27 million | Addresses, emails |
| Free | October 2024 | 19 million | Name, email, phone, IBAN |
| TAJ File | 2024 | 19 million filed | Criminal records |
| Sirius (Temp Agency) | 2024 | 5.9 million | Temp worker data, SS#, contracts |
| MedecinDirect | 2024 | 1.6 million | Patient data, medical consultations |
| Cultura | April 2024 | 1.5 million | Name, address, email, purchase history |
| SFR | 2024 | ~1.4 million | Name, address, phone, IBAN |
| CAF | February 2024 | 600,000 | Beneficiary data, family situations |
| Auchan | 2024 | ~500,000 | Customer data, loyalty cards |
| Pension Insurance | 2024 | 370,000 | SS#, retirement data |
| Intersport | 2024 | 52 GB data | Customers, internal data |
| La Poste | December 2025 | 50,000 | Name, surname, email, phone, address |
| Picard | 2024 | 45,000 | Customer data, loyalty program |
| Truffaut | 2024 | Unquantified | Customer data |
| Grand Palais/Louvre | August 2024 | Ransomware | Shop data, financial systems |
New Leaks Late 2025
| Organization | Date | People Affected | Data Stolen |
|---|---|---|---|
| ANTS (License/ID) | December 2025 | 12 million | Driver's licenses, IDs, addresses (disputed by ANSSI) |
| Pass'Sport/CAF/MSA | December 2025 | 8.6 million | MINORS: SS#, parent names, addresses, sports benefits |
| Hellowork | December 2025 | 2.8 million | CVs, emails, phones, professional data |
| OFII/ANEF | January 2026 | 2.3 million | Immigration files, residence permits, prefectural decisions |
| Pajemploi | November 2025 | 1.2 million | Employer data, childminders, SS# |
| Chronopost | December 2025 | 860,000 | Name, surname, email, phone, delivery address |
| FFHandball | Dec. 2025 | 600,000 | IDs, birth certificates, photos, 30k documents |
| FFF | Nov. 2025 | 2.3 million | Licensed member identities, club contacts |
| SNU | Jan. 2026 | 150,000 | MINORS 15-17 + parents, addresses, schools |
| Lions Club | Jan. 2026 | 133,000 | Elites, business leaders, political figures |
| DCE Conseil | Jan. 2026 | 844 GB | Prison plans, defense, Hermes, Veolia |
Source: CNIL, official statements, specialist press (ZDNet, Numerama), ZATAZ, Clubic, FranceInfo, @seblatombe, @Ced_haurus
December 2025 Update: La Poste also suffered a DDoS cyberattack by pro-Russian hackers (NoName057), paralyzing Colissimo and Digiposte during the Christmas peak. A separate data leak of 50,000 customers was also confirmed.
Cumulative Total
Adding up all major leaks from 2024-2025:
Over 160 million files exposed
With new leaks in late 2025 and early 2026 (Pass'Sport/CAF 8.6M minors, OFII 2.3M immigrants, FFF 2.3M licensed members, Hellowork 2.8M, ANTS 12M disputed), the toll grows considerably.
IMMIGRATION ALERT: The OFII/ANEF leak exposes data of 2.3 million immigrants (immigration status, prefectural decisions). This ultra-sensitive data exposes vulnerable populations to blackmail and exploitation.
CRITICAL ALERT: The Pass'Sport/CAF/MSA leak exposes data of 8.6 million minors (children receiving sports benefits). This is the first massive leak specifically targeting French children's data. The "Indra" group claims the attack.
With France having 68 million inhabitants, this means that statistically, every French person is affected by at least two leaks, and probably more.
What This Means for You
If you are or have been:
- Registered with France Travail/Pole Emploi -> Your data has probably leaked
- Customer of an insurance using Viamedis or Almerys -> Your health data has leaked
- SFR or Free subscriber -> Your data and potentially your IBAN have leaked
- CAF beneficiary -> You may be affected
- Filed in the TAJ (even as a victim) -> Your records are exposed
Sector Analysis: Who Is Most Vulnerable?
Public services, health, police, private sector: all sectors affected, none spared.
Public Services: Chronic Underinvestment
French public organizations are particularly affected:
France Travail (former Pole Emploi)
- 43 million people affected
- Database covering 20 years of history
- Attack method: counselor account impersonation
- Most sensitive data: Social Security numbers
CAF
- 600,000 accounts compromised
- Access to family situations, income, benefits
- Risk of benefit fraud
- Particularly effective targeted phishing
Why are public services so vulnerable?
| Factor | Impact |
|---|---|
| Limited IT budget | Obsolete systems, delayed updates |
| Public contracts | Long procedures, low-cost suppliers |
| Personnel | Insufficient cybersecurity training |
| Complexity | Multiple interconnected systems |
| Priority | Security comes after "functionality" |
Healthcare Sector: Ultra-Sensitive Data
The healthcare sector has become a priority target for cybercriminals:
Viamedis and Almerys (Third-party payment operators)
- 33 million insured affected
- Intermediaries between insurers and healthcare professionals
- Data: civil status, SS#, contract guarantees
- Method: targeted phishing of healthcare professionals
Hospitals and healthcare facilities
- Rennes, Corbeil-Essonnes, Rouen, Versailles University Hospitals...
- Ransomware paralyzing systems for days
- Patient records stolen and published
- Surgeries postponed, patients redirected
"French hospitals have become easy targets. Their systems are obsolete, their staff poorly trained, and the consequences of an attack are so severe they are tempted to pay ransoms."
— ANSSI Expert, 2024
Police and Justice: The Unthinkable
The state's most sensitive files have been compromised:
TAJ File (Criminal Records Processing)
- 19 million people filed
- Merges former STIC (police) and JUDEX (gendarmerie) files
- Contains: convictions, custody, indictments
- Victims and witnesses are also filed
Wanted Persons File (FPR)
- Active arrest warrants
- International alerts
- Classified information now exposed
The implications are terrifying:
- Wanted criminals warned they're under surveillance
- Violence victims identifiable by their attackers
- Police sources potentially compromised
- Ongoing investigations sabotaged
Private Sector: No Better Off
Private companies are not spared:
Telecom operators
- Free: 19 million customers, including IBANs
- SFR: 1.4 million customers, IBANs as well
- Risk of fraudulent withdrawals
E-commerce and services
- Boulanger: 27 million addresses
- Cultura: 1.5 million customers
- Auchan: ~500,000 customers
- Picard: 45,000 customers
- Truffaut: Unquantified leak
- Intersport: 52 GB of data
- Grand Palais/Louvre: Shop ransomware
- Data used for targeted phishing
Health and Social
- MedecinDirect: 1.6 million patients (teleconsultation)
- Sirius: 5.9 million temp workers
- Pension Insurance: 370,000 members
Why Is France So Vulnerable?
Low budgets, absent culture, poorly applied GDPR: the roots of the sieve.
1. Chronic Underinvestment in Cybersecurity
France invests less than its neighbors in IT security:
| Country | Cybersecurity Budget (% of IT budget) |
|---|---|
| United States | 10-15% |
| United Kingdom | 8-12% |
| Germany | 7-10% |
| France | 3-5% |
Source: ANSSI, Gartner 2024 reports
The consequences are visible:
- Aging systems (40% of infrastructure over 10 years old)
- Delayed security updates (sometimes by several years)
- Lack of qualified staff (10,000 unfilled positions)
2. Absent Security Culture
In France, cybersecurity is often perceived as:
- A cost rather than an investment
- A regulatory constraint (GDPR) rather than a necessity
- The "IT people's" business rather than everyone's
Result:
- Weak or shared passwords
- Clicks on phishing emails
- Unencrypted sensitive data
- Unrevoked access (former employees)
3. GDPR: Poorly Applied
Paradoxically, France is a GDPR pioneer, but:
- Non-dissuasive penalties: rare and low fines compared to revenue
- Insufficient controls: CNIL lacks resources
- Focus on paper compliance: companies check boxes without really securing
- Late notification: victims learn of leaks months later
4. Multiplication of Subcontractors
The Viamedis/Almerys case illustrates a major problem:
- Sensitive data passes through intermediaries
- Each link in the chain is a vulnerability point
- Responsibility is diluted
- Security audits are insufficient
5. Two-Speed Administration
There is a gap between:
Sovereign ministries (Defense, Interior)
- Significant cybersecurity budgets
- Internal expertise
- Strict protocols
Everyday public services (CAF, France Travail, hospitals)
- Constrained budgets
- Dependence on external contractors
- Unmaintained legacy systems
International Comparison: Is France an Isolated Case?
Estonia, Israel, Singapore: what countries succeeding in cybersecurity are doing.
Countries Doing Better
Estonia: The digital model
- 100% dematerialized administration
- Blockchain to secure data
- Electronic ID card with strong authentication
- Cybersecurity culture from school
Israel: The cyber-nation
- 20% of global tech budget in cybersecurity
- Ecosystem of specialized startups
- Military service including cyber training
- Effective public-private partnerships
Singapore: The secure Smart Nation
- National cybersecurity agency (CSA) with real powers
- Mandatory penetration testing for critical infrastructure
- Security certification for companies
What Sets These Countries Apart
| Criterion | Estonia/Israel/Singapore | France |
|---|---|---|
| Political priority | High (national security) | Medium (technical subject) |
| Budget | High and growing | Constrained |
| Training | Generalized | Specialists only |
| Reactivity | Hours | Days/weeks |
| Culture | "Security by design" | "Security optional" |
Consequences for Citizens
Identity theft +40%, fraud +33%, phishing +56%: the human cost of leaks.
Identity Theft Explodes
With stolen data, criminals can:
Open bank accounts in your name
- Consumer loans
- Credit cards
- Overdrafts
Usurp your administrative identity
- Address change
- Official document requests
- Benefit fraud
Target you with ultra-personalized phishing
- Emails mentioning your real data (SS#, benefits)
- Phone calls with precise information
- Credible fraudulent SMS
Identity Theft Numbers
| Indicator | 2023 | 2024 | Change |
|---|---|---|---|
| Identity theft complaints | 150,000 | 210,000 | +40% |
| Payment fraud | 1.2B EUR | 1.6B EUR | +33% |
| Phishing reported (Pharos) | 500,000 | 780,000 | +56% |
Source: Ministry of Interior, Bank of France, Pharos
Data Cross-Referencing: The Real Danger
The problem worsens when data from multiple leaks is combined:
- France Travail: Name, surname, SS#, address
- Free/SFR: Phone, email, IBAN
- Viamedis: Insurer, health coverage
- TAJ: Criminal records
By combining these databases, a criminal obtains a complete profile enabling:
- Perfect identity theft
- Personalized blackmail
- Insurance scam
- Sophisticated bank fraud
What the Government Is (or Isn't) Doing
1 billion announced, diluted budgets, difficult recruitment: the promise-reality gap.
Official Announcements
Cyber Plan 2024-2027:
- 1 billion euros announced
- Creation of 1,500 "cyber-firefighters"
- ANSSI reinforcement
- Cyber campus at La Defense
NIS2 Directive:
- European transposition underway
- Extended security obligations
- Strengthened sanctions
Ground Reality
| Announcement | Reality |
|---|---|
| 1B EUR over 4 years | Distributed across many ministries, diluted |
| 1,500 cyber-firefighters | Difficult recruitment, non-competitive salaries |
| ANSSI reinforcement | Still insufficient resources for the threat |
| NIS2 | Transposition delays, many exceptions |
Structural problems persist:
- Budgets announced but not always released
- Slow recruitment facing private sector competition
- Administrations remain siloed
- Prevention remains neglected
How to Protect Yourself
The state won't protect you: password managers, 2FA, VPN, vigilance.
Faced with institutions' inability to protect your data, you must take matters into your own hands.
Immediate Actions
1. Check your exposure
- HaveIBeenPwned.com: check if your email is in leaks
- Contact France Travail, your insurer to find out if you're affected
- Request your data from CNIL (access right)
2. Monitor your accounts
- Banking alerts on every transaction
- Regular verification of withdrawals
- Surveillance of your Ameli account
3. Strengthen your passwords
- One unique password per service
- Password manager (Bitwarden, KeePass)
- Two-factor authentication (2FA) everywhere
Advanced Protection
For more complete protection, consult our Personal Data Protection Guide which details:
- VPN: Why most should be avoided (Kape Technologies acquisition) and which to choose (ProtonVPN, Mullvad)
- Emails: Leave Gmail (Google trains its AI with your emails) for ProtonMail
- Browser: Switch to Brave
- Mobile: GrapheneOS on Pixel for real privacy
- Domiciliation: Protect your physical address
- GetSpecter.app: All-in-one protection platform
Exercise Your Rights
Right of access (Article 15 GDPR)
- Ask any organization what data it holds on you
- Response time: 1 month
- Free
Right to erasure (Article 17)
- Request deletion of your data
- Applicable except legal retention obligations
- Letter templates available on cnil.fr
File a complaint
- CNIL: for GDPR violation
- Police: for identity theft
- Court: civil action for damages
Detailed Scandals: Complete Articles
CAF, France Travail, Viamedis, TAJ: dive deep into each scandal.
To understand each case in depth:
Public Services
Health
Police and Justice
Infrastructure
Protect Yourself
Conclusion: Toward Individual Digital Sovereignty
The massive data leaks of 2024-2025 reveal an uncomfortable truth: the institutions supposed to protect your information are incapable of doing so.
Key takeaways:
- The scale is unprecedented — Over 160 million files exposed in 2024-2026, including 8.6 million minors and 2.3 million immigrants
- All sectors are affected — Public, private, health, police
- Causes are structural — Underinvestment, absent culture, complexity
- Consequences are lasting — Your data will be exploited for years
- Protection is your responsibility — Expect nothing from the state
Faced with this collective failure, individual digital sovereignty becomes a necessity:
- Minimize shared data — Give only the strict minimum
- Use secure tools — VPN, encrypted emails, privacy-first browsers
- Actively monitor — Your accounts, your data, your identity
- Exercise your rights — GDPR, complaints, appeals
This digital sovereignty joins the financial sovereignty we advocate on this blog. In a world where institutions fail to protect us — whether our data or our money — taking back control becomes an act of resistance.
To understand why financial sovereignty is equally crucial, see our article on Bitcoin as Sovereign Money.
FAQ
Is France particularly targeted by cyberattacks?
France is the 4th global target according to ANSSI, after the United States, United Kingdom, and Germany. Its relative vulnerability (obsolete systems, underinvestment) makes it an "easy" target for cybercriminals.
My data has probably leaked. What should I do?
- Check on HaveIBeenPwned.com
- Change your passwords (use a manager)
- Enable 2FA everywhere
- Monitor your bank accounts
- Be vigilant against personalized phishing
- Consult our complete protection guide
Can I claim compensation?
GDPR provides for a right to compensation (Article 82). You can:
- File a complaint with CNIL
- Join a class action
- Take individual court action
Compensation remains low in France (a few hundred euros) but class actions are multiplying.
Will the government improve the situation?
Plans exist (Cyber Plan, NIS2) but results are slow. Cybersecurity remains a technically "unsexy" political subject, and budgets are constrained. Don't wait for the state to protect you — take measures yourself.
How can I prevent my data from being stolen in the future?
Unfortunately, you cannot prevent leaks from organizations you're required to give your data to (Social Security, taxes, etc.). But you can:
- Minimize data shared with non-essential sites
- Use email aliases (SimpleLogin)
- Give false information when legally possible
- Use a domiciliation to protect your address
Related Articles — Cybersecurity & Data Protection
- January 2026 Leaks: NordVPN, Doctolib, LAPSUS$, AXYON
- January 2026 Leaks: OFII and Sports Federations
- January 2026 Leaks: SNU, DCE Conseil, Lions Club
- Telecom Operator Hacks: SFR, Free, Orange
- Personal Data Protection France Guide
- France Travail Hack: Employment Data Breach
- Viamedis Almerys Hack: Health Insurance Breach
- French Hospital Cyberattacks: Ransomware
Sources
- ANSSI — Cyber Threat Panorama 2024
- CNIL — 2024 Activity Report, breach notifications
- Ministry of Interior — Cybercrime statistics
- ZDNet France — 2024 cyberattack coverage
- Numerama — Analysis and investigations
- LeMagIT — Technical expertise
- Official statements — France Travail, CAF, Viamedis, SFR, Free
- Bank of France — Payment fraud report