10 Biggest Data Breaches in France [2026]

1. Introduction#

France has become one of the most breached jurisdictions in Europe. Between 2024 and 2025, more than 145 million records belonging to French citizens were exposed across public services, healthcare, telecom and retail, meaning statistically every French resident has been part of multiple breaches. According to the CNIL, over 5,600 breach notifications were received in 2024, a new all-time high.

This article lists the 10 most significant data breaches in recent French history, from the 43 million records exposed in the France Travail incident to the Cegedim Santé health software leak, alongside CNIL reporting rules, fines and prevention patterns that apply to any organization operating in France.

2. Why is France an Attractive Target for Data Breaches?#

France's highly digitized public sector, its dense healthcare payment ecosystem and three major telecom operators each holding tens of millions of subscriber records combine to produce an outsized attack surface. Add chronic underinvestment in cybersecurity relative to peer countries and social engineering targeting front-line advisers, and the result is the record-breaking series of breaches France experienced in 2024-2026.

2.1 Highly Digitized Public Sector#

France has one of the most advanced e-government stacks in Europe. FranceConnect, the national identity federation, routes access to tax, healthcare, employment and family benefits. A single compromised adviser account can therefore expose records spanning decades, as seen with France Travail, Pass'Sport and OFII. The public sector holds citizen data from cradle to grave, creating a concentration of sensitive records unmatched in scale.

2.2 Dense Ecosystem of Third-Party Processors#

French health insurance relies on a small number of "tiers payant" platforms (Viamedis, Almerys, Cegedim) that process data for dozens of mutuelles. One intrusion therefore propagates to tens of millions of policyholders. The same pattern is visible in telecom (Bouygues Telecom's 2025 breach via a third-party supplier) and in e-commerce. Even organizations with mature internal security programs remain exposed through their vendor networks.

2.3 Chronic Underinvestment in Cybersecurity#

Independent analyses such as Edouard.ai estimate France's public cybersecurity spending at roughly 0.03% of GDP (an estimate, not an official figure), noticeably lower than peer European countries. Average CNIL fines historically remained below EU peers, reducing the financial deterrent for lax security, a gap the regulator is now closing with record sanctions against Free Mobile, France Travail and others.

2.4 Social Engineering and MFA Gaps#

Several of the biggest French incidents (France Travail, Viamedis, Free) started with phishing or account takeovers on adviser or employee portals that did not enforce phishing-resistant MFA. In every case, attackers targeted the humans at the edge rather than the core infrastructure. The FIDO Alliance classifies passkeys as phishing-resistant by design, since each passkey is bound to the legitimate origin and cannot be replayed against attacker-controlled sites. French public services and telcos that have not yet rolled out passkeys or hardware-backed authentication remain exposed to the same attack class.

3. 10 Biggest Data Breaches in France#

The ten largest French data breaches since 2023 exposed at least 145 million records combined and triggered CNIL fines totaling 47 million euros by January 2026. They span public services (France Travail, Pass'Sport), healthcare platforms (Viamedis, Almerys, Cegedim Santé), telecom (Free, Bouygues Telecom) and consumer retail (ManoMano, Sport 2000). The table below summarizes scope, year and regulatory outcome; detailed case descriptions and prevention patterns follow.

3.1 France Travail Data Breach (2024)#

In March 2024, France Travail (formerly Pôle Emploi) and Cap Emploi disclosed what is now considered the largest data breach in French history. Attackers used social engineering to hijack the accounts of Cap Emploi advisers (the organization supporting people with disabilities) and accessed data of all individuals who had been registered over the past 20 years, as well as candidates with a profile on francetravail.fr. According to the CNIL, up to 43 million people may have been affected.

On 22 January 2026, the CNIL fined France Travail 5 million euros under GDPR Article 32, where the statutory maximum for a public body is 10 million euros. The regulator cited "ignorance of essential security principles" and ordered corrective measures under a 5,000 euro/day penalty. This was already France Travail's second breach: in August 2023, a third-party incident linked to the Cl0p ransomware group exploiting a MOVEit Transfer zero-day had already exposed the data of 10 million users.

Prevention methods:

• Enforce phishing-resistant MFA (passkeys) for all adviser and administrator accounts accessing bulk citizen data
• Apply bulk-query anomaly detection and strict data retention rules on citizen databases

3.2 ManoMano Data Breach (2026)#

In February 2026, French DIY e-commerce giant ManoMano was named by threat actors in a data sale referenced across multiple French cybersecurity trackers. The actor claimed to have compromised up to 37.8 million customer records, including identity data, contact details and administrative information. The scale of the claim is consistent with the platform's cumulative EU user base rather than active French customers, but the incident is still one of the highest-volume French-linked data sales ever observed.

The exposure underlines how large consumer marketplaces in France have become equally attractive to attackers as banks or telcos, particularly when the data can be combined with prior leaks to build "identity graphs" for fraud.

Prevention methods:

• Continuously monitor underground forums and breach marketplaces for exposed customer lists and enforce strong API rate limits on customer endpoints
• Minimize retention of historical, low-activity customer profiles

3.3 Viamedis and Almerys Data Breach (2024)#

In January and February 2024, Viamedis and Almerys, two French third-party payment processors for supplementary health insurance, were breached in quick succession. The CNIL confirmed that combined, the incidents affected 33 million people, nearly half of France's population.

The Viamedis intrusion was traced to a phishing attack targeting healthcare professionals, allowing attackers to reuse stolen credentials on the provider portal. Almerys is suspected to have been hit via a similar healthcare professional portal.

Prevention methods:

• Deploy phishing-resistant MFA (passkeys) for every healthcare professional accessing insured-member data
• Segment tiers-payant platforms so that one compromised portal cannot expose the entire national database

3.4 Free Data Breach (2024)#

In October 2024, Free (France's second-largest ISP and a subsidiary of the Iliad group) confirmed that attackers had compromised an internal management tool and exfiltrated data on 19.46 million Free Mobile and 5.17 million Freebox contracts, including the IBANs of all 5.11 million Freebox customers. The data was quickly auctioned on BreachForums by a threat actor known as "drussellx", with the final bid reaching 175,000 euros.

Free emphasized that passwords, payment card data and communications content were not affected, but the combination of IBAN, full name and date of birth is sufficient for direct-debit fraud and high-quality phishing. On 13 January 2026, the CNIL sanctioned Free Mobile 27 million euros and Free 15 million euros (42 million euros in total) for inadequate security around subscriber data, one of the largest combined GDPR sanctions ever issued in France for a data breach.

Prevention methods:

• Protect privileged internal tools with phishing-resistant MFA and just-in-time access
• Tokenize IBANs and payment identifiers so that subscriber records are not directly monetizable

3.5 Cegedim Santé (MLM) Data Breach (2025)#

In October 2025, attackers breached "MonLogicielMedical.com" (MLM), a medical practice management software edited by Cegedim Santé and used by thousands of French healthcare professionals. According to the French Ministry of Health, the incident compromised administrative data of roughly 15 million French patients, spanning up to 15 years of history and 19 million digital record lines.

In its February 2026 clarification, Cegedim Santé stated that the data at issue was exclusively administrative (identity-type information such as surname, first name and gender), and that structured clinical records, free-text medical comments and sensitive diagnoses such as HIV status were not involved. A criminal investigation for "breach of an automated data system" was opened on 27 October 2025.

Prevention methods:

• Enforce strong authentication (passkeys) for every practitioner accessing cloud medical software
• Apply strict data minimization and segregation between administrative identity data and clinical records in SaaS medical platforms

3.6 France Travail MOVEit Breach (2023)#

Before the headline-making 2024 incident, France Travail was already the victim of a third-party breach linked to the Cl0p ransomware group exploiting a zero-day vulnerability in the Progress MOVEit Transfer software. The attack exposed the personal information of roughly 10 million job seekers, including names, NIRs and contact details. It was part of the global MOVEit supply-chain wave that affected hundreds of organizations worldwide and foreshadowed the even larger 2024 breach of the same agency.

Prevention methods:

• Maintain an up-to-date inventory of third-party file-transfer software exposed to the internet and apply virtual patching for zero-day windows
• Segment file-transfer pipelines from core HR and citizen databases

3.7 Bouygues Telecom Data Breach (2025)#

On 4 August 2025, Bouygues Telecom, one of France's major mobile carriers with around 14.5 million mobile subscribers and a total customer base of roughly 23 million, detected a cyberattack against a customer management system. Two days later, the company confirmed that attackers had accessed personal and contractual data for 6.4 million customers, including IBANs. Passwords and payment card numbers were not compromised.

The breach, believed to have originated from a third-party supplier, was reported to the CNIL and ANSSI. Under French Code pénal Article 323-1, the attacker faces up to three years of imprisonment for unauthorized access to an automated data processing system, rising to five years where data is altered or the system is impaired. Bouygues Telecom itself faces GDPR scrutiny from the CNIL for its third-party risk management. The incident is part of a broader pattern that also hit SFR (September 2025, banking details) and Free in 2024-2025.

Prevention methods:

• Treat third-party suppliers as part of the core attack surface and require phishing-resistant MFA across all connected systems
• Tokenize IBANs and other payment identifiers to limit the value of bulk data theft

3.8 Pass'Sport Data Breach (December 2025)#

Pass'Sport is a French government program run by the Ministry of Sports that provides a 70 euro subsidy (previously 50 euros) to eligible young people for sports club memberships. On the night of 17-18 December 2025, a 15 GB file containing more than 22 million lines of data appeared online. Initial media reports wrongly attributed the leak to the Caisse d'Allocations Familiales (CAF), which publicly denied any intrusion into caf.fr. The Ministry of Sports later confirmed that the data originated from the Pass'Sport information system, covering roughly 3.5 million households and 6.4 million unique email addresses of beneficiaries and their parents or guardians.

The exposed records covered the period from September 2024 to November 2025 and included full identities, postal addresses, phone numbers and email addresses, but no banking data or passwords. The dataset is particularly valuable for targeted phishing against families with minors, and a large share has since been indexed in Have I Been Pwned.

Prevention methods:

• Apply the strictest possible protection to systems processing data of minors, including mandatory phishing-resistant MFA for administrators
• Minimize the duration for which beneficiary data is retained after program expiry

3.9 Sport 2000 Data Breach (2024)#

In April 2024, French sporting goods retailer Sport 2000 suffered a data breach that was later indexed by Have I Been Pwned. A threat actor operating under the alias "ChatNoir7331" posted a database of 4.4 million rows with 3.2 million unique email addresses for sale on a hacking forum, and the dataset was subsequently republished for free in June 2024. The leak included names, email and postal addresses, phone numbers, dates of birth and detailed purchase history keyed to specific store locations.

The combination of contact data and per-store purchase history makes the Sport 2000 leak particularly useful for highly targeted phishing ("your recent purchase at Sport 2000 Lyon...") and illustrates how mid-sized French retailers can produce consumer-scale breaches when marketing databases are poorly segmented.

Prevention methods:

• Segment marketing and transactional databases, and rotate access tokens used by third-party marketing tools
• Minimize retention of historical purchase data tied to identifiable customers

3.10 Fédération Française de Football Data Breach (2025)#

In 2025, the Fédération Française de Football (FFF) disclosed a breach that exposed the personal data of its licensed members. The FFF publishes roughly 2.38 million licensed members for the 2023-2024 season. According to the FFF's own "vol de données" notice, the incident covered identity and contact data (names, dates of birth, licence numbers and some identity documents) and explicitly excluded health data. The FFF incident was part of a wave that also hit Fédération Française de Voile, Fédération Française de Gymnastique, Fédération Française de Tir and others, confirming French sports federations as an attractive target because of their large, historically-stored datasets and comparatively weak IT security budgets.

Prevention methods:

• Prioritize cybersecurity investment in federations and non-profits that hold decades of member data
• Remove historical records that are no longer needed to operate licences

4. How to Report a Data Breach in France#

French controllers must report a personal data breach to the CNIL within 72 hours of becoming aware of it, under GDPR Article 33. If the breach is likely to result in a high risk to affected individuals, GDPR Article 34 requires notifying them without undue delay. Operators of vital importance (OIV) and operators of essential services (OSE) additionally notify ANSSI; the full transposition of the NIS2 directive into French law was still ongoing in 2026.

4.1 GDPR 72-Hour Rule (Article 33)#

Under GDPR Article 33, a controller must notify the CNIL of a personal data breach not later than 72 hours after becoming aware of it. If notification is delayed, the controller must provide reasons for the delay. The notification must describe the nature of the breach, categories and approximate number of affected individuals, likely consequences and measures taken or proposed.

4.2 Competent Authority: the CNIL#

Unlike Germany's 16 state-level DPAs, France has a single national supervisory authority: the Commission Nationale de l'Informatique et des Libertés (CNIL). The CNIL enforces GDPR for both public and private sector controllers and has the power to impose administrative fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. Recent combined sanctions against Free Mobile and Free (42 million euros, of which 27 million against Free Mobile) and France Travail (5 million euros) show that the CNIL has shifted from warnings to punitive enforcement.

4.3 ANSSI Reporting for OIV, OSE and NIS2#

Operators of vital importance (OIV) and operators of essential services (OSE) must additionally report significant cyber incidents to the ANSSI, the French national cybersecurity agency. The NIS2 directive extends mandatory reporting to more sectors, including digital service providers, manufacturing and waste management. Its transposition into French law was still in progress in 2026, and ANSSI has stated it will communicate throughout the process; the European Commission also issued a reasoned opinion for incomplete transposition. Once in force, reports will follow a staged timeline: an early warning within 24 hours, full notification within 72 hours and a final report within one month.

4.4 Individual Notification (Article 34)#

When a breach is likely to result in a high risk to the rights and freedoms of individuals, GDPR Article 34 requires direct notification to affected persons in clear and plain language. The France Travail, Viamedis, Free and Cegedim Santé cases all triggered Article 34 obligations. Failing to notify is a common trigger for additional regulatory penalties on top of the underlying breach.

5. Trends in French Data Breaches#

Four patterns recur across the ten cases: concentration of citizen data in a highly digitized public sector, third-party and supply-chain compromise as the dominant entry point, credential stuffing turning French public portals into soft targets and a CNIL that is rapidly catching up in enforcement. Understanding these patterns is more actionable than memorizing individual incidents.

5.1 Public-Sector Digitization Creates a Nationwide Attack Surface#

France Travail, OFII, FICOBA and Pass'Sport show how much citizen data is concentrated in a few public platforms. One compromised adviser account at Cap Emploi was enough to expose 43 million records; one leaked Pass'Sport partner integration was enough to expose 3.5 million households. France's reliance on FranceConnect and shared public-service logins amplifies this risk: a single compromised password tied to a NIR can unlock multiple public services at once.

5.2 Third-Party Vendors are a Critical Weak Link#

Viamedis, Almerys, Cegedim Santé, Bouygues Telecom and the 2023 France Travail MOVEit incident share the same root cause: compromise at a third party, not at the primary brand. Even organizations with mature internal security programs remain exposed through their vendor networks. The tiers-payant health insurance model, where a handful of processors handle data for dozens of mutuelles, is particularly vulnerable to single-point-of-failure breaches.

5.3 Credential Stuffing Turns Public Portals into Soft Targets#

Credential stuffing has become the default follow-up attack after every French breach. In February 2024, the hacking group LulzSec claimed up to 600,000 CAF accounts compromised purely through password reuse, without any technical breach of caf.fr. A subsequent August 2024 leak exposed 60,369 further CAF login combos (NIR + password) on a hacking forum. As long as French public services accept password login, each new breach anywhere in Europe feeds credential stuffing attacks against them.

5.4 CNIL Enforcement is Catching Up#

As of January 2026, the CNIL has moved from warnings to punitive enforcement. On 13 January 2026, Free Mobile and Free were jointly fined 42 million euros (27 million against Free Mobile and 15 million against Free), and France Travail was fined 5 million euros on 22 January 2026 under GDPR Article 32 (the statutory maximum for a public body is 10 million euros). Historically, average CNIL fines remained well below GDPR caps. Combined with the growing body of class-action-style damages claims under Article 82, France has moved into the same enforcement tier as Germany, the Netherlands and Ireland.

6. Conclusion#

France's ten biggest recent breaches tell a consistent story: credentials and third-party access are the common denominators. France Travail's social-engineered adviser accounts, Viamedis' phished healthcare professionals, Free's compromised internal tool, Pass'Sport's leaked partner integration and Bouygues Telecom's third-party supplier all trace back to the same underlying weakness: humans and vendors authenticating with passwords against systems that hold decades of citizen data.

The countermeasures are equally consistent: phishing-resistant authentication like passkeys, strict third-party access governance, continuous dark-web monitoring and 72-hour CNIL notification readiness. With the CNIL now issuing eight- and nine-figure fines, French organizations that treat these as board-level priorities in 2026 will avoid both the regulatory penalties and the reputational damage that defined the last three years of French breaches.

Frequently Asked Questions#

What was the France Travail data breach in 2024?#

In March 2024, France Travail (formerly Pôle Emploi) and Cap Emploi disclosed the largest data breach in French history. Attackers used social engineering to hijack Cap Emploi adviser accounts and exfiltrated personal data of up to 43 million job seekers over the past 20 years, including names, dates of birth, social security numbers, France Travail IDs and contact details. On 22 January 2026, the CNIL fined France Travail 5 million euros under GDPR Article 32, where the statutory maximum for a public body is 10 million euros.

How do you report a data breach in France?#

Under GDPR Article 33, French controllers must notify the CNIL within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in high risk to affected individuals, Article 34 requires notifying them without undue delay. Operators of vital importance (OIV) and operators of essential services (OSE) notify ANSSI under existing French law; the full transposition of the NIS2 directive into French law was still ongoing in 2026.

What is the largest CNIL fine ever issued after a data breach in France?#

On 13 January 2026, the CNIL jointly fined Free Mobile 27 million euros and Free 15 million euros (42 million euros combined) for inadequate security that contributed to a 2024 breach exposing 24.6 million contracts, including 5.11 million IBANs. This is one of the largest combined GDPR sanctions ever issued in France for a data breach. France Travail was fined 5 million euros on 22 January 2026 under Article 32.

Why has France become such a prime target for data breaches?#

France combines a highly digitized public sector (France Travail, CAF, DGFiP, OFII), a dense healthcare payment ecosystem (Viamedis, Almerys, Cegedim) and three major telecom operators that each hold tens of millions of subscriber records. Chronic underinvestment in cybersecurity relative to GDP, heavy reliance on third-party platforms and social engineering attacks against public-facing advisers explain why more than 145 million French records have been exposed between 2024 and 2025.

How do French data breaches fuel credential stuffing attacks?#

Breaches expose email addresses, social security numbers and often passwords that get traded on dark web forums. Attackers replay these credentials against banks, public services and retailers, exploiting password reuse. The February 2024 CAF incident compromised up to 600,000 accounts purely through credential stuffing, without any technical breach of caf.fr, demonstrating how French breaches keep fueling attacks long after disclosure.