France's worst data breaches of 2026: the ranking (spoiler: you're in it)
6,167 data breaches in 2025, a record, and 2026 is already doing better. From the Almerys brother-in-law nobody ever introduced you to, to the teenager who cracked open the ANTS vault by changing one digit in a URL, here is the ranking of France's worst breaches of the…

There are two kinds of French people in 2026: those whose data has leaked, and those who don't know it yet. The CNIL counted 6,167 data breaches in 2025, a record, and the first quarter of 2026 was already off to a faster start. Its president summed up the mood in a sentence we should embroider on throw pillows: nobody is spared by data breaches.
I could inflict three thousand words on you about the structural gap between knowing a risk exists and lifting a finger to prevent it. It's my obsession, I'm working on it. Today we'll instead do what everyone has been asking for all along: a ranking. From least bad to most emblematic, in order of increasing severity and roughly constant absurdity. Official criterion: what each case says about the year. Unofficial criterion: how badly it makes you want to unplug the router and go live in a cave. You are probably affected by several entries. Enjoy.
8. Carvivo, or the art of inflating a number
We start with the auto industry, and with a masterclass in crisis communication done backwards. In early June, a database attributed to Carvivo, a platform that manages dealership leads, turned up for sale. The hacker claimed fifteen million people, five million license plates, one thousand seven hundred and six dealerships. The company, for its part, talked about a million and a half contacts instead. The truth is hiding somewhere between the two, but the figure that made the headlines, you can guess, is the hacker's.
That's the whole beauty of the genre. The attacker throws out an unverified claim, and it travels faster and farther than the victim's polite denial. Remember that, it will come in handy further down. The intrusion technique, by the way, consisted of wandering across URLs accessible without authorization. The great classic of the year.
7. The public online services tour
Out of competition, because this isn't one breach but a collection. In January, the national bank account registry was emptied through the credentials of an official at Bercy, 1.2 million accounts. In March, the Cnous announced the theft of the data of 774,000 CROUS students. And for the surreal touch, the national hunters' federation saw 1.4 million people leaked, because apparently even a hunting license is of interest to the dark web.
The common thread? Every time, the State grouped its users behind a single login portal, in a commendable pursuit of simplicity, and that single portal became a single target. The wider the portal, the more profitable the heist. It's arithmetic, and it's exactly what you don't want to hear when digitalization is being sold as pure progress.
6. The summer tourism packed its bags
In mid-May, four tourism players fell in three days: Pierre et Vacances-Center Parcs, Belambra, Maeva, and Gîtes de France, the last one on 389,000 booking files going back as far as 1995. No banking data. The same hacker on all four. At this stage, it's no longer an attack, it's a tour, with dates and everything.
The most delicious part is his motivation, which he delivered himself: to show just how much of a sieve France is when it comes to cybersecurity. So he carried out, free of charge, the security audit nobody had ordered, and he even wrote the press release. We owe him at least a certain intellectual honesty. You, on the other hand, owe him the list of your vacations over the last thirty years.
5. Cegedim, the breach through the margins
We move up a notch with health. An attack launched in late October 2025 against a medical software used by 3,800 doctors affected 1,500 of them. The ministry ended up citing up to fifteen million people, about 169,000 of them for the most sensitive data. Relatively good news: the structured medical record stayed intact. Bad news: what leaked were the comments doctors jot down on their patients' file. Not the prescription, the little notes in the margins. The ones you don't write to be read.
And the best for last. Patients learned of the case on France 2's 8 p.m. news, on 26 February, four months after the fact. There are more delicate ways to tell someone their file is floating around a forum. A biting detail: the software publisher had already been fined 800,000 euros by the CNIL for unauthorized processing of health data. The risk was not some surprise revelation.
4. ManoMano, or the link we outsourced
Nearly 38 million European customers out in the wild, and yet the retailer itself wasn't hit. It was its support provider, based in Tunis, whose customer service instance was vacuumed up, 43 gigabytes, nearly 935,000 tickets. You had never heard of this subcontractor. It hadn't heard of you either, until the day it mislaid your file.
Neither password nor bank details in the loot, just your exchanges with the after-sales service. We tend to think that's worth nothing. It's the opposite. A support history is the context, the tone, the details of an order, exactly the raw material for a fake call that rings true. We outsourced support to save money, and we delivered the attack surface along with it, as a free add-on.
3. Almerys, the guest nobody had introduced
Here is the name half the roundups treat as a footnote, wrongly. Almerys is a third-party payment operator. Translation: every time your pharmacist runs your carte Vitale without asking you to advance a single cent, Almerys is in the plumbing, between your health insurer and them. It's the brother-in-law your complementary health insurance never introduced you to. You had no idea it existed, and yet it had your Social Security number. Now, everyone does.
The claimed breach involves 44 million rows and 15.4 million unique Social Security numbers, more than 674 organizations concerned, data going back to 2010. Compromise a single invisible intermediary, and you reach hundreds of health insurers at once. A quick reminder for the road: a password can be changed. A Social Security number is for life. Like a tattoo, but administrative. And it isn't even a first, the scenario resembles that of 2024. We made the mistake again, identically, on the same pipe.
2. France Travail, the involuntary census
On 22 January 2026, the CNIL fined France Travail five million euros for a 2024 breach that exposed the data of 36.8 million people. More than half the country. At this stage, it's no longer a data breach, it's a census, conducted by people nobody had asked.
This fine is sometimes presented as a record. It isn't one, the real record belongs to Free, 42 million euros a few days earlier. But the detail that stings is buried in the ruling: the CNIL had already warned the organization in 2022 about its activity logs. France Travail gave that warning the same sustained attention you give terms and conditions. Warned in 2022, breached in 2024, fined in 2026. Security is almost never a matter of not knowing. It's a matter of not getting to it. There, I cracked, one serious sentence. Moving on.
1. ANTS, the vault opened by a minor
And the top prize goes, without suspense, to the agency that makes your passports, your driving licenses and your ID cards. On 15 April 2026, its portal was compromised. The ministry would confirm 11.7 million accounts affected, while the attacker claimed up to nineteen million. The most sovereign data there is, identity itself, put up for sale on a forum.
The cutting-edge technique employed: change one digit in a web address to land on your neighbor's file. The kind of flaw you learn to fix in your second year and that, evidently, someone skipped class for. The author? A fifteen-year-old teenager, arrested in Corsica, who admitted the facts and explained that he had wanted to raise the alarm about the flaws and make a name for himself in the scene. Let's sum up. The vault of national identity was opened by someone not yet old enough to take the driving test. A license the burgled agency happens to make. If you were looking for an image of the year, stop, you have it.
Special mention: those who paid
You may have noticed, one name is missing from this ranking, that of the company that pulled out the checkbook to get its files back. Which one? That's the million-dollar question. It's the golden rule of the ransom French-style: you pay, you possibly collect the insurance, and you don't tell anyone, least of all you.
Yet it's very much there, in the list, probably in several copies. According to the barometers, between half and three quarters of French companies hit by ransomware end up paying, for an average amount around one million euros. Nearly one in three even pays several times, which says a lot about the value for money. And since every ransom paid is only an advance on the next attack, the machine runs silently, perfectly oiled. As long as paying quietly remains the least painful option, and nobody is held to account, we'll play the same tune again next year.
Dishonorable mention: the hackers' after-sales service
One last word for this new breed of cyber influencers who spend more time in private messages with hackers than moving anything forward. The ritual is well-oiled. You contact the author of the breach, you land the exclusive screenshot, you relay the claimed figure before the slightest verification, and you find yourself, without realizing it, running the free press office of a kid who wanted only one thing: to be talked about. The hacker's figure makes the rounds of the networks, the victim's denial stays on the platform. Remember Carvivo.
Confusing proximity to a source with real expertise is the most widespread mistake of the moment. And I'm not throwing stones from atop a pedestal: the lure of the TV set, of the punchline and of the thread that goes viral tempts us all, myself included, and the line between shedding light and amplifying is thinner than we like to admit. There is the deep work, the kind news agencies pick up because it's verified, and there is the spectacle of complicity. The first serves a purpose. The second feeds the beast it claims to expose.
We're only at halftime
The most disturbing thing about this ranking isn't that France is a sieve. A fifteen-year-old hacker demonstrated it free of charge, it's been said, it's on the record. The real issue is that we already knew it, that we still know it, and that we keep widening the holes while calling it modernization.
And all of this, don't forget, is only the midterm report. Six months, eight entries, and a bar already set so high it's hard to imagine worse. But the year is young, a whole half remains, and France has never let down anyone betting on its ability to outdo itself at this exercise. So we'll take stock again in December, for the year-end debrief, to discover together whether the second half of 2026 had even finer surprises in store for us. Something tells me it did.
Questions fréquentes
How many data breaches did the CNIL count in 2025?
The CNIL logged 6,167 data breaches in 2025, a record, and the first quarter of 2026 was starting at an even higher pace.
Why is the Almerys case considered one of the most serious?
Almerys is a third-party payment operator invisible to the general public: the claimed breach involves 44 million rows and 15.4 million unique Social Security numbers, affecting more than 674 organizations, with data going back to 2010. A Social Security number, unlike a password, cannot be changed.
What technique made the ANTS portal compromise possible?
It was enough to change one digit in a web address to access another user's file. The ministry confirmed 11.7 million accounts affected; the author was a fifteen-year-old teenager, arrested in Corsica.
What was the CNIL's penalty against France Travail?
On 22 January 2026, the CNIL fined France Travail 5 million euros for a 2024 breach that exposed 36.8 million people. It is not a record: Free was hit with 42 million euros a few days earlier.
Do French companies pay ransoms?
According to the barometers cited, between half and three quarters of French companies hit by ransomware end up paying, for an average amount around one million euros, and nearly one in three pays several times, most often in silence.
Sources & méthodologie
- CNIL, bilan 2025 des violations de données (6 167 violations recensées)
- CNIL, sanction de 5 M€ à l'encontre de France Travail, 22 janvier 2026
- CNIL, sanction de 42 M€ à l'encontre de Free

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
