Cyberattack on France’s ANTS portal may have exposed identity document user data
France’s Interior Ministry disclosed a cyberattack on the National Agency for Secure Documents (ANTS) portal, ants.gouv.fr, the government platform used to manage passport, national ID card, residence permit, and driver’s license applications. Detected on April 15, the incident may have exposed personal data tied to individual and professional accounts, including login identifiers, names, email addresses, dates of birth, and account IDs, with some records also potentially containing postal addresses, places of birth, and phone numbers. Officials said uploaded administrative documents were not compromised and that the exposed data cannot be used to directly access ANTS accounts.
French authorities reported the breach to CNIL, notified prosecutors, and alerted the national cybersecurity agency as investigators work to determine the scope, origin, and impact of the intrusion. The number of affected users has not been disclosed, but impacted individuals are being notified and urged to watch for suspicious messages. Separately, an unverified threat actor has claimed to be selling a dataset allegedly stolen from ANTS containing roughly 18–19 million records, heightening concerns over identity theft and fraud if the claim is confirmed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
French government unveils cybersecurity action plan after ANTS breach
Following the ANTS hack, Prime Minister Sébastien Lecornu announced a state cybersecurity plan to strengthen government digital systems. The measures include €200 million in France 2030 funding, a requirement for ministries to devote 5% of digital budgets to cybersecurity starting next year, expanded testing and AI-based vulnerability detection, and a new governance structure for ministerial infrastructure.
Civil liberties group files CNIL complaint and damages claims over ANTS breach
In early May, La Ligue des Libertés filed a complaint with CNIL and submitted two compensation claims against the Interior Ministry and ANTS, seeking €150,000 over the ANTS data leak. The group alleged GDPR-related failures in protecting personal data and asked CNIL to identify violations, impose corrective measures, sanction ANTS, and require greater transparency about the incident.
Paris prosecutors open judicial investigation into ANTS breach
The Paris Prosecutor's Office opened a judicial investigation into the ANTS breach, focusing on alleged fraudulent access to a state-run automated data processing system and the extraction of data from it. The move followed earlier notifications to prosecutors and came after authorities had already detained a 15-year-old suspect.
ANTS takes portal offline for security hardening
ANTS temporarily made its online portal unavailable as it carried out security reinforcement measures following the previously disclosed breach. The Interior Ministry said the maintenance operation began Friday evening and was intended to strengthen defenses while services were restored as quickly as possible.
French police detain teen suspect in ANTS breach probe
French prosecutors said a 15-year-old suspect was taken into custody on April 25 as part of the investigation into the ANTS breach. Authorities believe the minor may have used the alias “breach3d” to advertise 12 million to 18 million allegedly stolen records for sale and are seeking formal charges and judicial supervision.
Threat actor claims sale of alleged ANTS dataset
An unverified threat actor claimed to be selling a dataset allegedly stolen from ANTS containing roughly 18 to 19 million records. The claim had not been verified, but it raised concerns about possible identity theft and fraud if authentic.
Authorities notify regulators, prosecutors, and affected users
French authorities reported the ANTS incident to CNIL, notified prosecutors, and alerted the national cybersecurity agency as the investigation continued. Impacted users were being notified and advised to watch for suspicious communications, while additional security measures were implemented to maintain service continuity and improve data protection.
French Interior Ministry discloses ANTS breach and possible data exposure
France's Interior Ministry disclosed that the ANTS cyberattack may have exposed personal data from individual and professional accounts, including login credentials, names, email addresses, dates of birth, account identifiers, and in some cases postal addresses, places of birth, and phone numbers. Officials said uploaded administrative documents were not compromised and that the exposed data could not be used to directly access ANTS accounts.
Cyberattack on France's ANTS portal is detected
French authorities detected a cyberattack affecting the National Agency for Secure Documents (ANTS) portal, which handles applications for passports, identity cards, residence permits, and driver's licenses. Investigators began assessing the scope, origin, and consequences of the incident.
ANTS detects suspicious activity tied to France Titres breach
ANTS detected suspicious activity on its systems on April 13 during what became the France Titres data breach investigation. The discovery preceded the public disclosure and subsequent law enforcement actions tied to the alleged sale of 12 million to 18 million records.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
Piratage de l’ANTS : un nouveau front juridique ouvert par une as ...
zdnet.fr
Open source" Il faut remettre de l'ordre ", Sébastien Lecornu lance une cont ...
zdnet.fr
Open source15-year-old detained over massive data breach at French government agency - Help Net Security
helpnetsecurity.com
Open source15-year-old detained over French govt agency data breach
bleepingcomputer.com
Open sourceFrance’s ANTS ID System website hit by cyberattack, possible data breach
securityaffairs.com
Open sourceCyberattack at French identity document agency may have exposed personal data | The Record from Recorded Future News
therecord.media
Open sourceIncident de sécurité relatif au portail ants.gouv.fr - France Titres (ANTS)
ants.gouv.fr
Open sourceUnclassified
tribunal-de-paris.justice.fr
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
France Titres Breach Exposed Up to 19 Million Identity Records
France Titres, the French agency formerly known as ANTS and responsible for identity and registration documents, confirmed a breach of its `ants.gouv.fr` portal after threat actor **breach3d** advertised a trove of stolen records for sale on cybercrime forums. The agency said the compromised data may include login IDs, full names, email addresses, dates and places of birth, account identifiers, and in some cases postal addresses and phone numbers from both individual and professional accounts. Other reporting on the sale listings said the dataset could contain 18 million to 19 million records, including fields indicating government-verified identities, raising the risk of phishing, social engineering, and identity fraud if the claims are fully accurate. French authorities said unusual activity was identified in mid-April and launched parallel technical and judicial investigations involving **ANSSI**, **CNIL**, the Paris Public Prosecutor, and anti-cybercrime investigators. Prosecutors later announced the arrest of a 15-year-old suspect in connection with the case after records linked to the agency were allegedly offered for sale online, and said the inquiry covers unauthorized access, persistence, and extraction of personal data from a state-operated system. France Titres has notified affected individuals and said the stolen information does not provide direct access to user accounts or the portal itself, while warning citizens to remain alert for follow-on scams and impersonation attempts.
May 25, 2026
Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker **accessed and consulted data tied to ~1.2 million French bank accounts** by using **stolen login credentials** belonging to an authorized government user of the national bank account registry (*FICOBA*). The intrusion began in **late January 2026** and exposed account-linked personal data including **IBANs**, account holder **names**, **addresses**, and in some cases **tax identification numbers** (DGFiP-issued). Authorities stated the access did **not** enable viewing balances or initiating transactions. After detection, the ministry reported it **blocked the attacker**, notified France’s data protection authority (**CNIL**), and **filed a criminal complaint**; impacted individuals are expected to be contacted directly, and **banks were alerted** to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting **La Poste/La Banque Postale** and the **Interior Ministry**), though no motive or attribution for the FICOBA access has been publicly confirmed.
Apr 7, 2026
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
Mar 26, 2026