French Government Agency Data Breach Hits Up to 19 Million Citizens

A French government agency has confirmed a data breach that may rank as one of the largest administrative leaks in the country's history. The attack targeted the Agence nationale des titres sécurisés, known as ANTS or France Titres, the body responsible for issuing passports, national ID cards, driver's licenses, and vehicle registration documents. A threat actor is now offering the stolen data for sale on criminal forums, and investigators are still working to determine the full scale of what was taken.

A Breach atthe Heart of French Identity Infrastructure

ANTS operates under the French Ministry of the Interior. Its portal handles citizen requests for the most sensitive official documents the French state issues. An attack here does not just expose account credentials or email addresses. It reaches directly into the records of people who applied for government ID.

The agency detected the intrusion on April 15, 2026, and published an official announcement confirming the incident. According to that statement, the breach may have exposed data from both individual and professional accounts on the ants.gouv.fr portal. Confirmed exposed fields include full names, dates and places of birth, email addresses, login identifiers, and unique account IDs. In some cases, home addresses and phone numbers were also compromised.

ANTS confirmed that uploaded documents, such as scanned copies of ID cards or proof of address submitted during applications, were not affected. Investigators also stated that the exposed data alone would not allow someone to directly access a user's account or reissue an official document.

The Threat Actor and the Data for Sale

A day after the breach was detected, on April 16, a hacker operating under the name "breach3d" posted a claim on criminal forums. The actor alleged to hold between 18 and 19 million records drawn from ANTS systems and put the dataset up for sale at an undisclosed price.

The claimed dataset reportedly includes full names, contact details, birth data, home addresses, account metadata, gender, and civil status. Those fields go somewhat beyond what ANTS officially confirmed as exposed, which suggests investigators are still working to reconcile the agency's own audit against what the attacker is offering.

The data has not been publicly leaked. It remains a private listing, which means the information has not yet circulated freely on the criminal market. That window may be narrow. Once data of this type reaches buyers, it tends to move quickly into phishing campaigns, identity fraud operations, and credential stuffing attacks.

Security researchers following the case noted that the attacker described the underlying vulnerability as elementary. Cybersecurity analysts reported that "breach3d" characterised the flaw as "really stupid," and technical analysis pointed toward an Insecure Direct Object Reference vulnerability on the ANTS API. That type of flaw allows an attacker to access another user's data simply by manipulating a parameter in a request. No sophisticated tooling is required.

How Authorities Are Responding

ANTS has followed the required legal procedures. The agency notified the CNIL, France's data protection authority, in line with GDPR Article 33 obligations. It also filed a report with the Paris Public Prosecutor to open a criminal investigation, and alerted ANSSI, France's national cybersecurity agency. The Office anti-cybercriminalité, known as OFAC, has been brought in to lead the technical investigation.

ANTS is in the process of notifying users identified as directly affected. The agency told the public that no immediate action is required but issued a clear warning: exercise extreme caution around any SMS, phone call, or email that appears to come from ANTS. Fraudsters routinely exploit confirmed breach events to launch impersonation campaigns, and the data now in the attacker's hands makes that kind of targeting much more precise.

What This Data Enables

The combination of fields reportedly stolen creates aready-made profile for social engineering and identity fraud. Full names, dates of birth, home addresses, and phone numbers together allow an attacker to craft convincing messages that reference accurate personal details. That raises the success rate of phishing attempts well above generic spam.

For citizens whose data is included, the most immediate risk is targeted phishing, specifically messages that impersonate ANTS or other French administrative services and request additional information or account verification. The presence of professional account data in the breach also raises concern for businesses that interact with the ANTS portal through authorised channels, such as vehicle dealers and administrative service providers.

A Pattern France Cannot Ignore

This French government agency data breach sits inside a broader pattern. France has seen a string of significant public and private sector incidents in recent months, including a breach of the FICOBA banking data registry earlier this year and an attack on parcel delivery firm Relais Colis affecting tens of millions of customer records. The ANTS breach, if the attacker's volume claim holds up under investigation, would rank among the most serious of these.

What makes the ANTS incident particularly damaging is the nature of the institution involved. Citizens cannot simply change the date of birth or national ID number linked to their government file. The information is permanent. That makes it useful to attackers not just today but for years, and it puts identity fraud risk on a long timeline that typical breach notifications do not adequately communicate.

Investigations remain active. The confirmed scale of the breach is still being established, and no arrest has been reported.