Last week, the French Interior Ministry was forced to publicly acknowledge that a major data breach had apparently occurred at the central registration platform where residents apply for passports, identity cards, residence permits, driving licenses and vehicle registrations.
According to the ministry, an incident took place within the system on 15 April. One day later, unknown actors using the aliases “breach3d” and “ExtaseHunters” offered the stolen personal data for sale on criminal internet forums. The attackers claim to have stolen between 18 million and 19 million records from the agency’s internal systems. That would amount to roughly one-third of France’s population. The sellers appear to refer directly to the previous day’s breach, describing the material as fresh data obtained after a major system breach.
French newspaper Le Figaro initially estimated the breach at around 12 million compromised accounts before later revising the number upward. The government has so far neither confirmed nor denied specific figures, speaking only of a “security incident that could involve the disclosure of data from both private and professional accounts”.
What Was Actually Exposed
Given the nature of passport and residence permit applications, it is likely that full names, email addresses, dates of birth, unique account identifiers, postal addresses, places of birth, telephone numbers and even family relationships may now be exposed. In the digital age, such information is an open invitation to identity fraud and other forms of criminal abuse.
Phishing attacks, of which German lawmakers and parts of the German government have only recently been victims, would be among the mildest consequences.
The French government is trying to contain the damage and has stressed that no data from attached documents or uploaded files was compromised. “The disclosure does not include additional data submitted as part of the various procedures, such as attachments.”
At the same time, the Interior Ministry’s official statement confirms that not only login details such as gender, surnames, first names, email addresses and birth dates may be affected, but also account numbers, postal addresses, places of birth and telephone numbers.
The French case once again shows how poorly governments appear to manage sensitive personal data. While the digitalization of public administration is being pushed forward everywhere and can offer genuine convenience for citizens, many authorities still lack the competence to make these systems genuinely secure.
At the same time, the government remains largely in the dark about the perpetrators and cannot even provide reliable figures on the scale of the theft.
Like many countries, France has built a centralized administrative system for personal records through the France Titres portal. France’s highly centralized state structure also increases the scale of potential damage. In federal countries such as Germany, authorities work more decentralized and data is already spread across 16 federal states and different administrative systems.
Centralized citizen databases not only create a tool for the state to build the “transparent citizen”, they also create the ideal target for hackers, allowing a single successful attack to compromise everything at once.
When the State Cannot Protect Its Own Data
The current attack on France Titres is particularly embarrassing for the French government because several other major public databases have already been hit in recent months.
Only two weeks ago, the French Education Ministry announced that attackers had gained access to student data on the ÉduConnect platform through a compromised employee account at the end of 2025. In February 2026, 243,000 records belonging to employees of the same ministry were stolen in another security breach.
In early March, hackers also stole the health data of 15 million French citizens, exposing highly sensitive medical histories and patient records.
The centralized digital collection of health data has been politically controversial long before the introduction of Covid-era tracking apps. The vulnerability of such systems is repeatedly demonstrated within a very short time.
Germany’s electronic health card, promoted to citizens as a secure way to centrally manage personal medical information, was reportedly cracked in less than 24 hours. The European Union’s latest identification app, presented by European Commission President Ursula von der Leyen, needed only a few hours to become an embarrassment.
In France, registration in many of these digitally managed state systems is mandatory for citizens in order to work in certain professions or handle official matters. They have no real option to opt out, return to paper processes or choose alternative systems.
Yet the same states that cannot reliably protect the data of their own employees or citizens are now increasingly demanding access to even more private information in the name of child protection on the internet.
France is currently demonstrating exactly why critics of centralized digital authentication systems have a point. They are not only a major intrusion into personal freedom and privacy, they also represent one of the greatest unresolved security risks of the digital age.