The ANTS hack: the 2007 flaw, the 2026 cheque, and the gap no figure can close
Lecornu calls the ANTS breach the "heist of the century." It is a student homework-assignment heist. A 2007 flaw. With 200 million euros of announcement effect on top.

You may have received this email on 15 April. The subject line is neutral, the tone reassuring. It tells you that unauthorized access affected your data on the France Titres portal, formerly the ANTS. It lists what leaked: your name, your address, your date of birth, your phone number. It closes with this sentence, "You therefore have no action to take." You read it twice. You looked, in the wording, for what felt off. Here is what felt off. The sentence is accurate on a technical level, and grotesque on a symbolic level. It tells you there is nothing to do, because indeed, there is nothing to do. That is precisely the problem.
The hacker, a 15-year-old minor arrested at the end of April, exploited a flaw whose technical name you do not need to remember. It is called IDOR, for Insecure Direct Object Reference. It has been in the OWASP top 10 since 2007. It is the canonical example taught in the first week of any cybersecurity course. In practice, all you had to do was change a digit in an address to pull up another citizen's file. No zero-day. No state operation. No criminal genius. The hacker himself called the flaw "really stupid." It is. It had existed for nineteen years in the textbooks, in the frameworks, in the ANSSI guides, in the OWASP checklists. It stayed open on a sovereign portal that manages the identity documents of tens of millions of French citizens.
I am the CISO of a company that builds applications. If one of our developers shipped to production an API exposed to an IDOR flaw on personal data, they would lose their job that same day, and I would lose mine almost within the same week. Not out of harshness. Because it is unacceptable. Not a matter of opinion, a matter of professional standards. We run automated static analysis tools that cost a few thousand euros a year and that catch this type of vulnerability before anything reaches production. We commission penetration tests several times a year, on rotating scopes, to validate what the tools did not see. We are not a multinational, we are a reasonably sized organization with constrained budgets. In 2026 the ANTS has its own budget of more than 315 million euros. The State spends between 700 million and one billion euros a year on cybersecurity. The tools exist. The methods exist. The budgets exist. What is missing is execution discipline, and no one buys execution discipline with a 200 million cheque announced in the middle of a crisis.
I have written this before. On this blog, analyzing the cybersecurity roadmap of the State published on 9 April 2026, that is six days before the ANTS hack, I explained that the document said everything without meaning to. It listed, with an almost clinical clarity, the structural failings of the French setup. Multi-factor authentication to be rolled out across high-stakes systems by February 2027. Removal of generic accounts by June 2026. Systematic annual testing of recovery plans. All of it was in the text. All of it existed on paper. And on 15 April 2026, six days after publication, a sovereign portal fell to a 2007 flaw. I also spoke on CNews about the gap between French regulation and operational execution. This is not a convenient posture. It is a consistent reading, for months now, of a system that produces frameworks of international quality and proves incapable of applying its own requirements to its own portals.
On 30 April, Prime Minister Sébastien Lecornu went to France Titres with four ministers to announce a series of measures. A 200 million euro package released as early as the start of May, as part of the France 2030 program launched in 2021. A State digital authority to be created. A merger of the interministerial directorates DITP and DINUM. CNIL fines redirected toward a modernization fund. Digital blackout scenarios to be designed, with the explicit hypothesis of a US administration cutting France off from its tools. Vulnerability tests to be run across the scale of the ministries. On paper, it is a complete response. In practice, it is budgetary communication. Because the overall envelope is not the problem. Because merging org charts does not create enforcement power if the legislature does not write it into law. Because vulnerability tests should have been running continuously on the sovereign portals for years, and to this day they still do not run in a mandatory and verified way.
The right word to describe what is happening is afterthought. In the steering of the French digital State, cybersecurity is an afterthought. It is treated as a defensive cost added at the end of the chain, after the service has been designed, after development, after going live. It is invoked in speeches, cited in roadmaps, given summits and plans. But it is not planned upstream, in the specifications, in the code review, in the pre-production tests. Yet cybersecurity cannot be decreed after the incident. It is built at the moment you design the architecture, when you choose the format of the user identifier, when you write the first line of code, when you define the permissions matrix. The ANTS IDOR flaw did not appear by accident in April 2026. It was coded at a precise moment, by someone, without cross-checking, without an automated test, without any later independent audit. And it stayed open because no one in the chain had the authority or the mandate to detect it.
There is a detail that has to be taken seriously. In September 2025, data supposedly from the ANTS had already circulated on the dark web, mentioning 12 million accounts. ANSSI had then concluded it was the recycling of earlier leaks and ruled out the hypothesis of an intrusion. Seven months later, the same volume resurfaces, this time confirmed. Either the IDOR flaw was already active in the autumn of 2025 and the alert was treated as a false positive. Or two successive intrusions exploited the same vulnerability, with no fix in between. In both cases, we are looking at exactly what I call the decision gap. That moment when an organization holds the useful information, has the means to act, and does not do it. Not out of malice. Through cognitive bias. Social validation within the hierarchy normalizes the false positive. The pressure of business continuity defers the deep audit. The perceived cost of the investigation looks higher than the perceived risk of the incident. All the ingredients are there for the organization that knows to fail to act. Organizational psychology is more decisive here than the technology.
The ANTS is not an isolated case. Since early 2024, France has seen Free, France Travail, Cegedim Santé, entire sports federations, the UNSS, three ARS, the TAJ and FPR files. The CNIL recorded 8,163 data breach notifications between September 2024 and September 2025, up 45 % year on year. In 2025, France became the second country in the world for stolen accounts relative to population. No announcement treats this pattern as a pattern. Each incident is commented on as an isolated event, handled with a budget top-up, and forgotten as the next one arrives. That is exactly what I meant by afterthought. As long as cybersecurity remains a reaction to the incident rather than an upstream discipline, we will sign every 200 million cheque in the world without closing the gap.
You reread the email of 15 April. You found it strange. You were right. What it told you is that you had no action to take. What it did not tell you is that there would be no action taken on the State's side either, beyond the announcements. The ANTS flaw dates from 2007. The execution discipline that should have fixed it, we have been waiting for it just as long.
Questions fréquentes
What is an IDOR flaw and why does it matter so much here?
IDOR (Insecure Direct Object Reference) lets you access another user's data by changing a single identifier in a request. It has been in the OWASP top 10 since 2007 and remains the canonical example taught at the start of any course, which makes its presence on a sovereign identity portal unacceptable.
Who is responsible for the ANTS hack?
A 15-year-old minor, arrested at the end of April 2026, exploited the flaw with no zero-day and no state operation. The hacker himself called the vulnerability "really stupid."
Do the 200 million euros announced fix the problem?
No, according to the author. The package, released as part of France 2030, amounts to budgetary communication: neither merging org charts nor a top-up creates enforcement power or continuous, mandatory and verified vulnerability testing.
Is the ANTS incident an isolated case?
No. Since early 2024 France has seen many breaches (Free, France Travail, Cegedim Santé, the UNSS, several ARS, the TAJ and FPR files). The CNIL recorded 8,163 breach notifications between September 2024 and September 2025, up 45 %.
What is the "decision gap" mentioned in the article?
It is the moment when an organization holds the useful information and has the means to act, but does not, through cognitive bias rather than malice. A September 2025 alert, dismissed by ANSSI, would be the illustration.
Sources & méthodologie
- ANSSI, analyse de l’alerte de septembre 2025 sur des données prétendument issues de l’ANTS
- CNIL, 8 163 notifications de violations de données (septembre 2024 - septembre 2025)
- OWASP Top 10, référencement de la vulnérabilité IDOR depuis 2007
- Feuille de route cybersécurité de l’État français (9 avril 2026) :
- Intervention de l’auteur sur CNews :

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
