French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its Compass platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about 243,000 people, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on multi-factor authentication, stronger data segmentation, and reduced application exposure.
Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about 1.5 million people. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves "Ryolait" allegedly offered the stolen database for sale starting at $2,000. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Ministry launches crisis response and announces security plan
In response to the Compass incident, the ministry opened a crisis cell, involved ANSSI, and announced measures including multi-factor authentication, better data segmentation, and reducing application exposure to users. It also cited the upcoming NIS 2 transposition as a way to strengthen the sector's security baseline.
French education ministry discloses Compass breach affecting 243,000
France's Ministry of National Education disclosed that the compromise of the Compass platform exposed data on about 243,000 people. The affected information included identity and contact details, absence periods, and the identities and professional phone numbers of tutors, but not health data.
Compass platform compromise begins with phishing attachment
According to the Ministry of National Education, the Compass breach likely started when a user opened a fraudulent email attachment and their credentials were captured. The platform is used to manage trainee teachers in primary and secondary education.
Catholic education secretariat secures systems and notifies authorities
After detecting the intrusion, the organization said it secured access, suspended affected services, notified legal and administrative authorities including the French Ministry of Education, and brought in specialized service providers. The exposed data reportedly included identities, postal and email addresses, phone numbers, and dates of birth, raising phishing risks.
Catholic education management application breached
The Secrétariat général de l’enseignement catholique disclosed a cyberattack affecting its management application for nursery and elementary schools. Unauthorized access exposed identification data for users and contact information for students, families, and teachers, reportedly affecting about 1.5 million people.
Catholic education database allegedly offered for sale online
A forum user using the name "Ryolait" allegedly advertised a database claimed to be stolen from France's Catholic education sector, with a starting price of $2,000. The listing suggested the data had already been exfiltrated before the public disclosure of the breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
France Titres Breach Exposed Up to 19 Million Identity Records
France Titres, the French agency formerly known as ANTS and responsible for identity and registration documents, confirmed a breach of its `ants.gouv.fr` portal after threat actor **breach3d** advertised a trove of stolen records for sale on cybercrime forums. The agency said the compromised data may include login IDs, full names, email addresses, dates and places of birth, account identifiers, and in some cases postal addresses and phone numbers from both individual and professional accounts. Other reporting on the sale listings said the dataset could contain 18 million to 19 million records, including fields indicating government-verified identities, raising the risk of phishing, social engineering, and identity fraud if the claims are fully accurate. French authorities said unusual activity was identified in mid-April and launched parallel technical and judicial investigations involving **ANSSI**, **CNIL**, the Paris Public Prosecutor, and anti-cybercrime investigators. Prosecutors later announced the arrest of a 15-year-old suspect in connection with the case after records linked to the agency were allegedly offered for sale online, and said the inquiry covers unauthorized access, persistence, and extraction of personal data from a state-operated system. France Titres has notified affected individuals and said the stolen information does not provide direct access to user accounts or the portal itself, while warning citizens to remain alert for follow-on scams and impersonation attempts.
May 25, 2026
French Telecom and Retail Breaches Expose Millions of Customer Records
French telecommunications provider **Bouygues Telecom** disclosed a cyberattack that led to the exposure of nearly **6.4 million customer records**, including **5.7 million unique email addresses**. The compromised data reportedly included names, physical addresses, phone numbers, dates of birth, and **IBANs**, raising concerns about fraud and financial abuse. The company said affected customers were notified after detecting the intrusion into its services. French electronics retailer **Boulanger** also suffered a major breach in which more than **27 million rows of data** were exposed, including **2 million unique email addresses**. The leaked information reportedly included names, physical addresses, phone numbers, and even **latitude and longitude** data. Unlike the Bouygues incident, the stolen Boulanger dataset was later posted publicly on a hacking forum, significantly increasing the likelihood of downstream misuse, phishing, and identity-related abuse.
Mar 27, 2026
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026