Cyberattack on France’s ANTS portal may have exposed identity document user data
France’s Interior Ministry disclosed a cyberattack on the National Agency for Secure Documents (ANTS) portal, ants.gouv.fr, the government platform used to manage passport, national ID card, residence permit, and driver’s license applications. Detected on April 15, the incident may have exposed personal data tied to individual and professional accounts, including login identifiers, names, email addresses, dates of birth, and account IDs, with some records also potentially containing postal addresses, places of birth, and phone numbers. Officials said uploaded administrative documents were not compromised and that the exposed data cannot be used to directly access ANTS accounts.
French authorities reported the breach to CNIL, notified prosecutors, and alerted the national cybersecurity agency as investigators work to determine the scope, origin, and impact of the intrusion. The number of affected users has not been disclosed, but impacted individuals are being notified and urged to watch for suspicious messages. Separately, an unverified threat actor has claimed to be selling a dataset allegedly stolen from ANTS containing roughly 18–19 million records, heightening concerns over identity theft and fraud if the claim is confirmed.
Timeline
Apr 29, 2026
Paris prosecutors open judicial investigation into ANTS breach
The Paris Prosecutor's Office opened a judicial investigation into the ANTS breach, focusing on alleged fraudulent access to a state-run automated data processing system and the extraction of data from it. The move followed earlier notifications to prosecutors and came after authorities had already detained a 15-year-old suspect.
Apr 27, 2026
ANTS takes portal offline for security hardening
ANTS temporarily made its online portal unavailable as it carried out security reinforcement measures following the previously disclosed breach. The Interior Ministry said the maintenance operation began Friday evening and was intended to strengthen defenses while services were restored as quickly as possible.
Apr 25, 2026
French police detain teen suspect in ANTS breach probe
French prosecutors said a 15-year-old suspect was taken into custody on April 25 as part of the investigation into the ANTS breach. Authorities believe the minor may have used the alias “breach3d” to advertise 12 million to 18 million allegedly stolen records for sale and are seeking formal charges and judicial supervision.
Apr 20, 2026
Threat actor claims sale of alleged ANTS dataset
An unverified threat actor claimed to be selling a dataset allegedly stolen from ANTS containing roughly 18 to 19 million records. The claim had not been verified, but it raised concerns about possible identity theft and fraud if authentic.
Apr 20, 2026
Authorities notify regulators, prosecutors, and affected users
French authorities reported the ANTS incident to CNIL, notified prosecutors, and alerted the national cybersecurity agency as the investigation continued. Impacted users were being notified and advised to watch for suspicious communications, while additional security measures were implemented to maintain service continuity and improve data protection.
Apr 20, 2026
French Interior Ministry discloses ANTS breach and possible data exposure
France's Interior Ministry disclosed that the ANTS cyberattack may have exposed personal data from individual and professional accounts, including login credentials, names, email addresses, dates of birth, account identifiers, and in some cases postal addresses, places of birth, and phone numbers. Officials said uploaded administrative documents were not compromised and that the exposed data could not be used to directly access ANTS accounts.
Apr 15, 2026
Cyberattack on France's ANTS portal is detected
French authorities detected a cyberattack affecting the National Agency for Secure Documents (ANTS) portal, which handles applications for passports, identity cards, residence permits, and driver's licenses. Investigators began assessing the scope, origin, and consequences of the incident.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
5 more from sources like register security, techcrunch com security, scworld and zdnet
Related Stories
Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker **accessed and consulted data tied to ~1.2 million French bank accounts** by using **stolen login credentials** belonging to an authorized government user of the national bank account registry (*FICOBA*). The intrusion began in **late January 2026** and exposed account-linked personal data including **IBANs**, account holder **names**, **addresses**, and in some cases **tax identification numbers** (DGFiP-issued). Authorities stated the access did **not** enable viewing balances or initiating transactions. After detection, the ministry reported it **blocked the attacker**, notified France’s data protection authority (**CNIL**), and **filed a criminal complaint**; impacted individuals are expected to be contacted directly, and **banks were alerted** to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting **La Poste/La Banque Postale** and the **Interior Ministry**), though no motive or attribution for the FICOBA access has been publicly confirmed.
3 weeks ago
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
1 months ago
Data exposures tied to third-party access and credential misuse in Ukraine and France
Ukraine’s National Bank (NBU) took its **collectible coin/numismatic online store** offline after a cyberattack against a supporting **contractor** potentially exposed customer registration data (names, phone numbers, emails, and delivery addresses). The NBU said **core banking systems were not affected** and **no payment card or banking data** was compromised, but warned the exposed PII could be leveraged for **phishing** and other follow-on fraud; the incident was described as consistent with a **supply-chain** intrusion path. In France, authorities disclosed illegal access to a portion of the **National Bank Accounts File (FICOBA)**—a government database used for tax, customs, and law-enforcement purposes—after an attacker **impersonated a civil servant** and used valid credentials to query data. Officials said up to **1.2 million accounts** may have been impacted, with exposed fields potentially including account numbers, names, addresses, and in some cases tax identifiers; **DGFiP**, supported by **ANSSI**, is investigating and notifying affected individuals while banks were alerted to heighten fraud/phishing monitoring. Separately, **Safran Group** denied being cyberattacked, stating that a leaked dataset containing “non-strategic” order/customer details was **inadvertently exposed via a third-party provider**, with external analysis suggesting the compromise occurred elsewhere in the supply chain rather than within Safran’s own systems.
1 months ago