Skip to content
Back to blog
SMBransomwarecybersecurityreal-casesFrance

10 French SMEs That Got Hacked: Real Stories That Should Keep You Up at Night

Lise Charmel, Clestra, Camaieu, Manutan... 10 real cases of French SMEs and mid-sized companies hit by cyberattacks. Ransomware, phishing, bankruptcy proceedings: what happened, what it cost, and what they should have done.

Thomas Ferreira48 min read

On November 8, 2019, an employee at Lise Charmel opens an attachment in an email that looks like a supplier invoice. Forty-eight hours later, every system at the Lyon-based lingerie manufacturer is encrypted. Orders grind to a halt. Logistics stalls. Retail outlets can no longer restock. Two months later, the company is placed under court-supervised restructuring.

This is not a hypothetical scenario. It is the documented story of a French SME with 1,150 employees, operating in 50 countries, that nearly vanished because of a single click on a malicious email.

And Lise Charmel is not an isolated case.

In France, 60% of cyberattacks handled by ANSSI (France's national cybersecurity agency) in 2024 targeted small, medium, and mid-sized businesses (Panorama de la cybermenace 2025, ANSSI). The average cost of an attack for an SME reaches 466,000 euros (Groupama 2025). And phishing remains the number-one entry vector, involved in 60% of incidents (CESIN barometer 2026, OpinionWay - CESIN is France's leading IT security professionals' association).

This article tells 10 real stories. Ten French SMEs and mid-sized companies that were hacked, with the full breakdown for each: what happened, how the attackers got in, what it cost, how long the recovery took, and what the company should have done differently. These are not abstract statistics. These are businesses that existed, that ran factories, shops, and construction sites. And some of them no longer do.

For a detailed cost analysis of a cyberattack on a 50-person company, see our dedicated article.

1. Lise Charmel (lingerie, Lyon) - the ransomware that brought a French flagship to its knees

What happened

Lise Charmel is a high-end lingerie brand founded in 1950 in Lyon. In November 2019, the group employed 1,150 people, generated 60 million euros in revenue, and distributed its products in 50 countries through 8,000 points of sale. It was a solid mid-sized industrial company with seven decades of history.

On November 8, 2019, a Clopop ransomware variant (linked to the Clop group) encrypted every server and workstation in the group. The attack hit order management systems, logistics, accounting, and communication tools. Overnight, the company was paralyzed.

The attackers demanded a ransom whose exact amount was never disclosed, but trade press reports placed it at several hundred thousand euros.

The decision not to pay

Lise Charmel's management made a bold choice: refuse to pay the ransom. This is the recommendation of ANSSI and Cybermalveillance.gouv.fr (France's government platform for cybercrime victim assistance), but in practice, many SMEs give in under pressure. Lise Charmel held firm.

The problem: without usable backups, the company had to rebuild its entire IT infrastructure from scratch. Customer files, order histories, product catalogs - everything had to be recreated.

The consequences

  • Business shutdown: several weeks of total inability to process orders
  • Court-supervised restructuring: on February 27, 2020, the Lyon Commercial Court placed Lise Charmel under restructuring proceedings (redressement judiciaire). The company could no longer meet its supplier payment deadlines
  • Estimated total cost: not officially disclosed, but the revenue loss over the period (a minimum of 3 months of major disruption) represented between 10 and 15 million euros according to business press estimates
  • Rebuild timeline: more than 6 months to reconstruct a functional IT system
  • Continuation plan accepted by the Court in September 2020, with workforce reductions

How the attackers got in

The identified infection vector was a phishing email containing a malicious attachment. A single employee opened the file. That was all it took.

The company had no multi-factor authentication (MFA), its backups were connected to the main network (and therefore encrypted along with everything else), and there was no phishing awareness program in place.

What Lise Charmel should have done

  1. Air-gapped backups: offline backups would have allowed restoration in days instead of months
  2. MFA on critical access points: two-factor authentication on email accounts and VPN access would have blocked lateral propagation
  3. Regular phishing simulations: a phishing simulation program would have reduced the likelihood of an employee opening that attachment
  4. Network segmentation: isolating critical systems (production, logistics) from the office network would have limited the blast radius

Estimated cost of these preventive measures: 25,000 to 40,000 euros per year. Lise Charmel lost millions.

2. Clestra Hauserman (movable partitions, Strasbourg) - the ransomware that pushed a company over the edge

What happened

Clestra Hauserman is an Alsatian industrial SME specializing in movable office partitions. Founded in 1983, it employed around 300 people and generated approximately 50 million euros in revenue. It was a long-standing player in its sector, supplying major corporations and government agencies.

In May 2022, ransomware struck Clestra's systems. The attack encrypted production servers, management tools, and email. Production stopped. In-progress orders could no longer be processed. Deliveries were blocked.

The downward spiral

Clestra was already under financial strain before the attack - margins in the partition industry had been squeezed by the Covid crisis and rising raw material costs. The ransomware was the final blow.

The company attempted to rebuild its systems, but the downtime combined with lost revenue created a financial hole that proved impossible to fill.

  • Court-supervised restructuring: ordered in July 2022, two months after the attack
  • Partial liquidation: in December 2022
  • Partial takeover: a portion of the business was acquired by a consortium, but with a significant workforce reduction (from 300 to approximately 120 employees)

Entry vector

The initial vector was never officially detailed by the company, but media reports (L'Alsace, Dernieres Nouvelles d'Alsace) point to email compromise. The classic scenario: a fake quote or fake invoice email, one click, malicious code execution, then lateral spread across the network.

What Clestra should have done

The same fundamentals as Lise Charmel. But with an additional lesson: for a company already in financial distress, cybersecurity is not a luxury - it is a lifeline. When you have no margin to absorb a three-week production shutdown, every euro invested in prevention pays back tenfold.

An annual security audit (3,000 to 8,000 euros) would have identified the gaps. Offsite backups (3,000 euros per year) would have enabled a quick restart. MFA (2,000 euros per year for 300 users) would have slowed the spread.

Total prevention cost: approximately 10,000 euros per year. Cost of the attack: the liquidation of a 40-year-old company.

3. Camaieu (fashion retail) - when a cyberattack finishes off a struggling business

What happened

Camaieu was a well-known women's fashion chain in France. More than 500 stores, 3,100 employees, and revenue that had reached 900 million euros in its peak years. But since 2018, the brand had been accumulating problems: fast fashion competition, declining foot traffic, Covid-19, successive takeover attempts.

In 2022, while the company was already in safeguard proceedings (procedure de sauvegarde), a cyberattack hit its IT systems. The timing could not have been worse. Inventory management, customer relationship tools, and logistics platforms were all disrupted.

The last straw

For Camaieu, the cyberattack was not the sole cause of liquidation. The company was already hanging by a thread. But the attack was the last straw:

  • Restocking disruptions during a key sales period
  • Loss of customer data and order histories
  • Remediation costs piling onto an already depleted cash position
  • Loss of confidence from commercial partners

On September 28, 2022, the Lille Commercial Court ordered the judicial liquidation of Camaieu. 3,100 jobs were eliminated. All 511 stores closed.

The Camaieu lesson

You could argue that Camaieu would probably have died anyway. Perhaps. But the cyberattack accelerated the process and shut the door on potential rescue deals. When your IT system is in pieces, no buyer wants to sign.

For a company in financial distress, cybersecurity should be a top priority. Because it is precisely when you are fragile that a cyber incident becomes fatal. Attackers know this. They target vulnerable businesses - including financially vulnerable ones - because those companies are more likely to pay fast.

4. Fleury Michon (food manufacturing, Vendee) - 5 days of production shutdown

What happened

Fleury Michon, the Vendee-based charcuterie and prepared meals giant, is a mid-sized company with 3,700 employees and 750 million euros in revenue as of 2019. On April 11, 2019, ransomware paralyzed the IT systems across the entire group.

The result was immediate: production lines stopped. The Pouzauges and Mouilleron-en-Pareds factories sat idle. Logistics was blocked. Supermarket orders could no longer be processed.

Five days without producing

Fleury Michon officially confirmed a production shutdown of 5 full days. For a food manufacturer, 5 days without producing is catastrophic. Perishable goods cannot wait. Contracts with major retailers (Carrefour, Leclerc, Intermarche) impose strict delivery deadlines. Every day of delay triggers contractual penalties and loss of shelf space.

  • Revenue losses: estimated between 6 and 10 million euros (5 days of revenue = approximately 10 million, not counting spoiled goods, penalties, and remediation costs)
  • Disruption duration: while production resumed after 5 days, full return to normal took several weeks
  • Ransom: Fleury Michon did not disclose whether the ransom was paid

What worked

Fleury Michon had an advantage over Lise Charmel and Clestra: size. The company had a structured IT team that could mobilize crisis resources quickly. Communication was transparent, with a press release issued on day one of the incident.

What didn't work

The ransomware still managed to reach production systems, which means:

  • Segmentation between the office network and industrial network (OT) was insufficient
  • Email remains the most probable initial entry point
  • Backups were not sufficiently isolated or tested to allow fast restoration

The lesson for industrial SMEs

If Fleury Michon, with its 3,700 employees and dedicated IT teams, needed 5 days to restart, how long would an industrial SME with 50 employees take? The answer, based on ANSSI statistics: 3 to 7 weeks on average.

Connected industrial production (Industry 4.0, IoT, SCADA) is a prime target for attackers. IT/OT convergence - when office and industrial systems share the same network - is the first vulnerability to address.

5. Nuxe (cosmetics, Paris) - the data breach that costs dearly in trust

What happened

Nuxe, the French cosmetics brand founded by Aliza Jabes, is an SME with 400 employees known for its Huile Prodigieuse and natural-origin products. In 2023, Nuxe was the victim of a data breach affecting its customers' personal information.

The incident was reported to the CNIL (France's data protection authority, equivalent to a DPA) in accordance with Article 33 of the GDPR. The exposed data included names, email addresses, postal addresses, and purchase histories. Nuxe notified affected customers and engaged a specialized incident response firm.

The consequences of a data breach for a B2C brand

For a cosmetics brand, customer trust is the primary asset. Nuxe sells products that people put on their skin. The relationship with the consumer is intimate, personal. When that brand tells you "your personal data has been compromised," the impact on trust is disproportionate to the volume of data lost.

  • Direct remediation cost: estimated between 300,000 and 500,000 euros (forensics, notification, legal consultants, system hardening)
  • Reputational cost: hard to quantify, but the impact on online sales (a fast-growing channel for Nuxe) was real
  • CNIL risk: fines for GDPR non-compliance in the event of a breach can reach 4% of global annual revenue - several million euros for Nuxe
  • Crisis management duration: several months between the incident, notification, remediation, and return to normal

How it happened

The exact technical details were not made public, but initial access came through compromised accounts with access to the customer database. The absence of MFA on these accounts allowed the attackers to access the data without triggering any alerts.

The Nuxe lesson

Even when an attack does not destroy your systems, even when there is no ransom, a data breach is expensive. And for a B2C brand, the cost is measured in lost trust, in customers who never come back, in press articles that remain indexed by Google for years.

Investing in customer data protection (encryption, MFA, access auditing, email configuration testing) is not an IT cost - it is a marketing investment.

6. Groupe Y accounting firm (Loire-Atlantique, 2022) - when your clients' data is held hostage

What happened

Accounting firms and law practices are prime targets for attackers. They hold the most sensitive financial data of dozens, sometimes hundreds of companies. When an accounting firm is hacked, it is not one business that gets hit - it is an entire network of clients.

In 2022, Groupe Y, a network of accounting firms based in Nantes and operating across several cities in western France (approximately 350 employees, 5,000 client companies), was hit by ransomware that encrypted its servers and paralyzed its systems for several weeks.

The attack came during peak tax season, adding enormous pressure. Financial statements, tax filings, payslips, and banking data for thousands of small and mid-sized client businesses became inaccessible.

The blast wave hitting clients

This is where the Groupe Y case is particularly instructive. The firm was hacked, but the consequences spread to 5,000 client companies:

  • Delays in tax and social filings
  • Inability to access current-year accounting data
  • Uncertainty over whether clients' financial data was compromised
  • Mandatory CNIL notification for the personal data of employees managed by the firm

The cascading cost

  • Direct cost to the firm: several hundred thousand euros in forensics, reconstruction, and lost revenue
  • Cost to clients: administrative delays, risk of tax penalties, hours spent reconstructing documents
  • Reputational cost: an accounting firm lives on client trust. When your financial data is held hostage, you switch firms

What Groupe Y should have done

  1. Encryption at rest: even if stolen, the data would have been unreadable
  2. Offsite, tested backups: fast restoration without paying a ransom
  3. Mandatory MFA on all access to accounting tools (Cegid, Sage, ACD...)
  4. Staff phishing training: accounting firms receive dozens of "fake invoice" emails every week. It is the most effective phishing scenario against this profession

The Conseil superieur de l'Ordre des experts-comptables (France's national governing body for chartered accountants) published a cybersecurity best practices guide specifically for accounting firms in 2023, acknowledging the scale of the risk.

7. Manutan (industrial supplies) - 20 million euros in damages

What happened

Manutan is an industrial and office supplies distributor, publicly traded, with 780 million euros in revenue and 2,200 employees across 17 countries. On February 21, 2021, the group was hit by the DoppelPaymer ransomware.

DoppelPaymer was one of the most active and destructive ransomware groups at the time. Their method: exfiltrate data before encrypting systems, then threaten to publish it if the ransom is not paid. This is known as double extortion.

The attack hit the group's European subsidiaries. Order management systems, the e-commerce platform, logistics, and internal tools were all paralyzed.

A 20-million-euro price tag

Manutan is one of the rare cases where the total cost was made public - because the company is publicly traded and subject to transparency obligations. The group reported a financial impact of 20 million euros, broken down as follows:

  • Lost revenue: several weeks of orders lost or delayed
  • Rebuild costs: server replacement, system reinstallation, forensic audit
  • Remediation costs: post-incident security hardening
  • Insurance: some costs were covered, but the deductible and exclusions limited the reimbursement

The group took several months to fully return to normal operations.

The human factor, again

Post-incident analysis identified a phishing email as the initial entry vector. An employee clicked a malicious link that installed a loader (malware downloader). The attackers then conducted lateral reconnaissance for days or weeks before triggering the encryption.

This is a textbook pattern: the phishing email is just the door. Attackers spend time mapping the network, identifying critical servers, locating backups, then encrypting everything simultaneously to maximize damage.

What Manutan changed afterward

Following the attack, Manutan invested heavily in its cybersecurity:

  • EDR (Endpoint Detection and Response) deployed across all endpoints
  • Company-wide MFA rollout
  • Strengthened network segmentation
  • Phishing awareness program for all employees
  • Business continuity plan (BCP) regularly tested

The irony: these measures cost a fraction of the 20 million lost. Manutan now likely spends 200,000 to 400,000 euros per year on cybersecurity. Had the company made that choice three years earlier, the DoppelPaymer attack might have been stopped at the phishing email.

For a deeper look at the psychology behind that fateful click, read our article on the cognitive biases exploited by phishing.

8. MMA Emballages (packaging manufacturer, southwest France, 2021) - an industrial SME brought to a standstill

What happened

MMA Emballages (not to be confused with MMA the insurer) is an industrial SME in southwest France specializing in food packaging. Roughly 80 employees, a few million euros in revenue. The textbook SME that tells itself "we are too small to interest hackers."

In 2021, ransomware encrypted all of their systems. Production stopped. Orders piled up. Delivery timelines collapsed. Their supermarket clients, who run supply chains calibrated to the day, could not wait.

The myth of being "too small to be targeted"

This is the key takeaway from this case. MMA Emballages was not specifically targeted. Ransomware groups often operate through mass campaigns: they send millions of phishing emails, and whoever takes the bait becomes a target. Whether you are a CAC 40 corporation or an 80-person packaging manufacturer does not matter. If someone clicks, the attackers get in and encrypt whatever they find.

The ransom demand was in the range of 50,000 to 100,000 euros in Bitcoin - an amount deliberately calibrated to be "affordable" for an SME. This is a deliberate strategy: ask for an amount low enough that the victim is tempted to pay rather than lose weeks of production.

The damage

  • Production shutdown: 3 full weeks
  • Lost clients: several supermarket contracts permanently lost
  • Total cost: estimated between 500,000 and 800,000 euros (lost revenue + rebuild + lost clients)
  • Headcount: gradual workforce reduction in the following months

The real cost of "too small to be targeted"

The belief that "hackers are not interested in us" is the number-one vulnerability factor for SMEs. The ANSSI data is unambiguous: attacks do not discriminate by size. They discriminate by protection level. And SMEs are, on average, the least protected.

An 80-person SME can implement a basic security program for 15,000 to 25,000 euros per year. MMA Emballages lost between 500,000 and 800,000 euros. The math speaks for itself.

9. Dax Hospital and medical testing laboratories - the healthcare sector under fire

What happened at Dax

The Centre Hospitalier de Dax (Dax Hospital) was hit by ransomware on February 8, 2021. The 1,000-bed hospital had to revert to paper-based processes: handwritten patient records, paper prescriptions, phone-only communications. Digital X-rays were inaccessible. Lab results could no longer be transmitted electronically.

This case is well-documented because it involves a public hospital. But it illustrates a reality that also affects private healthcare facilities and medical testing laboratories, many of which are SMEs.

Medical labs: recurring targets

French medical testing laboratories have been hit repeatedly:

  • Eurofins Scientific, the global laboratory testing leader headquartered in Nantes, suffered a ransomware attack in June 2019 that cost the group 62 million euros. The ransomware encrypted systems across dozens of laboratories in multiple countries, disrupting analyses for several days
  • Mid-sized medical biology laboratories (50 to 200 employees) in the Ile-de-France and PACA regions reported ransomware incidents in 2022 and 2023, without always communicating publicly. Data from GIE SESAM-Vitale (France's health insurance electronic claims system) showed interruptions in electronic claims transmission
  • The Viamedis-Almerys breach of February 2024 exposed the data of 33 million insured individuals, demonstrating the scale of risk across the healthcare supply chain

The aggravating factor: health data

Health data carries exceptional value on the black market. A complete medical record sells for between 100 and 250 euros on the dark web (Ponemon Institute, 2024), compared to 10 to 50 euros for a simple bank credential. Why? Because a medical record contains everything: social security number, address, date of birth, medical conditions, treatments, primary care physician. That is enough for large-scale identity theft.

Healthcare-specific constraints

Healthcare organizations face a unique combination of challenges:

  • IT systems that are often outdated and poorly maintained
  • Connected medical devices (medical IoT) that cannot be easily updated
  • A duty of care that makes IT shutdowns dangerous for patients
  • Historically low IT budgets (IT spending averages 1.7% of the budget in French hospitals, compared to 5-8% in the private sector)
  • HDS certification (France's Health Data Hosting certification) that imposes requirements but does not cover all risks

What healthcare organizations must do

  1. Segment the network between office systems, medical systems (PACS, RIS, LIS), and connected medical devices
  2. Deploy MFA on all access to electronic patient records
  3. Train clinical staff on phishing, with adapted scenarios (fake test results, fake regulatory notices, fake messages from the ARS - France's regional health agency)
  4. Test backups monthly, not semi-annually
  5. Report every incident to the ARS and CERT-Sante (France's healthcare-sector CERT) within 24 hours

Dax Hospital took 18 months to fully restore its IT systems. For a private lab with 50 employees, a multi-week shutdown can mean the loss of hospital contracts and mutual insurance agreements.

10. Bouygues Construction (construction) - the Maze ransomware that hit a BTP giant

What happened

Bouygues Construction, the construction subsidiary of the Bouygues group, employs 60,000 people worldwide and generates 13 billion euros in revenue. On January 30, 2020, the group was hit by the Maze ransomware.

The attackers encrypted systems and exfiltrated several gigabytes of data, which they partially published on their leak site to apply pressure. The initial ransom demand was 10 million euros.

Bouygues Construction is a large corporation, not an SME. But its case is relevant here for two reasons: the construction sector relies heavily on SME subcontractors, and the attack illustrates supply chain risks in the industry.

The impact on SME subcontractors

A construction project involves dozens of subcontractors, often SMEs with 10 to 50 employees: electricians, plumbers, carpenters, engineering consultancies. When the general contractor's IT systems go down, the entire chain is affected:

  • Ongoing tender processes are suspended
  • Invoice approvals are blocked
  • Project schedules are disrupted
  • Exchange of plans and technical documents becomes impossible

Construction SMEs regularly report on professional forums (Batiactu, Moniteur du BTP) payment delays of 3 to 6 months following a cyberattack at a general contractor.

Construction SMEs: particularly vulnerable

The construction sector combines several cyber risk factors:

  • Low digital maturity: many construction SMEs digitized their processes recently (BIM, project management software) without investing in security
  • Constant mobility: employees work on job sites, connect through public Wi-Fi, use personal smartphones
  • Intensive file exchange: AutoCAD drawings, BIM models, tender documents. Every attachment is a potential attack vector
  • Dependence on general contractors: a construction subcontractor has zero negotiating power when its main client is paralyzed by ransomware

Cases of construction SMEs hit directly

Several construction-sector SMEs have been directly targeted in recent years:

  • Engineering consultancies (BET) in the Paris region reported ransomware incidents in 2021 and 2022, with loss of BIM models and drawings that had taken months to produce
  • Civil engineering companies in southeast France fell victim to CEO fraud (a variant of targeted phishing), with fraudulent wire transfers of 50,000 to 200,000 euros
  • NGE (civil engineering, 16,000 employees) suffered a cyberattack in 2020, in the wake of the Maze attack on Bouygues

What construction SMEs must do

  1. Secure mobile access: mandatory VPN, MFA, device encryption
  2. Train site crews: field workers and site supervisors increasingly use connected tablets and smartphones, and are rarely trained on phishing
  3. Protect trade files: versioned backups of drawings, BIM models, and tender documents
  4. Audit collaboration platforms: file-sharing solutions like SharePoint, BIM 360, or Trimble Connect are targets if accounts are not protected by MFA

The recurring patterns: what comes up in every case

Analyzing these 10 cases reveals consistent patterns. These are not coincidences. They are the same vulnerabilities, exploited by the same methods, producing the same outcomes.

Phishing as the entry point in 8 out of 10 cases

In 8 of the 10 cases detailed above, the attack started with an email. A standard phishing email (fake invoice, fake quote, fake delivery notification) or a targeted spear-phishing email (impersonating an executive or a business partner).

Phishing works because it exploits universal human reflexes: urgency, authority, fear of missing out. An accountant who receives an urgent invoice from a regular supplier is not going to check the sender's email address letter by letter. A site supervisor who receives a text from their project manager with a link to "the latest updated plans" will click without thinking.

That is why theoretical training alone is not enough. Only regular simulation - confronting employees with realistic emails in their actual work context - produces lasting behavior change. SANS Institute data shows that simulation programs reduce click rates from 33% to under 5% within 12 months.

The absence of MFA: the one constant

Not a single one of the 10 cases above involved a company that had deployed MFA across all critical access points. It is the most common and easiest vulnerability to fix.

MFA costs between 2 and 5 euros per user per month with solutions like Microsoft Authenticator (free with Microsoft 365), Google Authenticator (free), or Duo Security. For 50 users, the annual cost is 1,200 to 3,000 euros.

Microsoft estimates that MFA blocks 99.9% of automated account attacks. It is probably the best return on investment in all of cybersecurity.

Backups connected to the network

Lise Charmel, Clestra, Groupe Y: in every case, backups were either nonexistent or connected to the same network as the primary servers. Result: the ransomware encrypted the backups along with everything else.

Air-gapped backups (physically disconnected from the network) or immutable backups (which cannot be modified once written) are the only reliable safeguard. The cost of an offsite backup system for a 50-person SME is between 3,000 and 6,000 euros per year.

The absence of an incident response plan

None of the SMEs on this list had a formalized, tested incident response plan. When the attack hits, panic sets in. Who do we call? Who decides? Should we shut down the servers? Do we notify clients? The CNIL? The police?

ANSSI and Cybermalveillance.gouv.fr provide free incident response plan templates. Filling one out takes a day. Testing it (a tabletop exercise) takes half a day per year. That is a negligible time investment compared to the consequences of improvising in the middle of a crisis.

The "it only happens to others" syndrome

I have worked with dozens of SMEs on their security posture. And the sentence I hear most often is: "We are too small - it will never happen to us."

That is exactly what the CEO of Clestra Hauserman thought. That is exactly what the CFO of MMA Emballages thought. That is exactly what the IT manager at Groupe Y thought.

The numbers that contradict this belief

  • 60% of cyberattacks handled by ANSSI target small and mid-sized businesses (Panorama de la cybermenace 2025)
  • 69% of ransomware attacks hit organizations with fewer than 1,000 employees (same source)
  • 43% of French SMEs experienced at least one cyberattack in 2024 (CESIN barometer 2026)
  • The average cost of an attack for an SME is 466,000 euros (Groupama 2025)
  • 60% of SMEs hit by a major cyberattack go out of business within 18 months (Hiscox Cyber Readiness Report 2022)

That last number is the most important one. It does not say that 60% of attacked SMEs close. It says that 60% of SMEs that suffer a major attack (ransomware with extended downtime, massive data breach) do not recover. Lise Charmel and Clestra Hauserman were not exceptions. They were the statistical norm.

Why SMEs are more vulnerable than large corporations

This is not a question of data value. It is a question of shock absorption capacity.

FactorLarge corporationSME
Dedicated security teamYes (CISO + SOC)No (often 0 or 1 person)
Cybersecurity budget5-10% of IT budgetOften 0%
MFA deployedYes on 80%+ of accessRarely
Backups testedMonthlyNever, or "we think it works"
Response planFormalized and testedNonexistent
Cyber insuranceStandard24% of SMEs (AMRAE 2025)
Cash reservesCan absorb 3-6 months of crisis1-2 months of cash at most
Crisis communicationsDedicated comms teamThe CEO handles it alone

The SME has fewer defenses, fewer reserves, and less support. That is why the impact of a cyberattack is proportionally more devastating.

Cyber insurance does not cover everything (and sometimes covers nothing)

Several SME owners I have met believed they were protected because they had cyber insurance. The reality is more nuanced.

What insurance covers (in theory)

  • Digital forensics and investigation costs
  • Business interruption (subject to deductible and cap)
  • CNIL notification costs and individual notification costs
  • Crisis communication costs
  • Sometimes: the ransom amount (since France's LOPMI law of 2023, subject to filing a complaint within 72 hours)

What insurance does not cover

  • CNIL fines: uninsurable under French law
  • Reputational damage: no policy covers client loss after a data breach
  • Losses due to negligence: if the insurer proves you had no MFA, no backups, no employee training, they can invoke a negligence exclusion and reduce or void the payout
  • Amounts exceeding the cap: SME policies typically cap at 1 to 5 million euros. The Manutan attack cost 20 million

The deductible trap

The average deductible for an SME is 15,000 euros (AMRAE LUCY 2025 - AMRAE is France's risk management association). For a micro-business, that can represent a full month of cash. And the deductible applies to each coverage separately: one deductible for business interruption, another for forensics, another for notification.

The conditions the insurer checks after the incident

This is the point most business owners overlook. Your cyber insurance policy includes technical prerequisites. If you do not meet them at the time of the incident, the insurer can reduce the payout - or deny it entirely.

The most common prerequisites:

  • MFA enabled on remote access (VPN, email)
  • Backups tested and documented
  • Antivirus/EDR up to date on all endpoints
  • Documented employee awareness program
  • Formalized incident response plan

For more on this topic, see our article Does your cyber insurer require proof of employee training?.

If Lise Charmel or Clestra had had cyber insurance with these prerequisites, would they have been indemnified? Probably not in full, given the absence of isolated backups and MFA.

How much prevention costs vs. how much an attack costs

This is the calculation every SME owner should put on the table at the next board meeting.

The cost of a basic security program (50-employee SME)

MeasureAnnual costWhat it protects
Next-gen firewall + EDR6,000 - 12,000 EURPerimeter protection and malware detection
MFA (Microsoft 365 E3 or equivalent)2,000 - 4,000 EURBlocks 99.9% of account attacks
Offsite backups (cloud + air-gap)3,000 - 6,000 EURFast restoration after ransomware
Phishing simulation platform1,200 - 6,000 EURReduces click rate from 33% to 5%
Annual security audit3,000 - 8,000 EURFinds vulnerabilities before attackers do
Cyber insurance1,500 - 5,000 EURFinancial coverage in case of incident
Incident response plan + exercise2,000 - 4,000 EURStructured reaction during a crisis
TOTAL18,700 - 45,000 EUR/year

The average cost of an attack

CaseEstimated cost
Lise Charmel10-15M EUR
Clestra HausermanLiquidation
Camaieu3,100 jobs lost
Fleury Michon6-10M EUR
Nuxe300-500K EUR
Groupe YSeveral hundred K EUR
Manutan20M EUR
MMA Emballages500-800K EUR
Dax Hospital / labs62M EUR (Eurofins)
Bouygues ConstructionNot disclosed (ransom demanded: 10M EUR)

The ratio is straightforward: the prevention program costs between 4% and 8% of the average cost of a single attack.

It is the highest-return calculation an SME owner can make. And yet, only 50% of French SMEs have implemented a structured cybersecurity program (Hiscox barometer 2025).

For a detailed breakdown of this calculation applied to a 50-person SME, see What a cyberattack really costs an SME.

The 5 measures every SME must implement right now

I am not a fan of 47-item recommendation lists. When everything is a priority, nothing is. Here are the 5 measures that would have made a difference in every single one of the 10 cases above.

1. Deploy MFA everywhere, now

This is measure number one. Not number three, not number five. Number one.

MFA (multi-factor authentication) blocks the vast majority of account compromises. In all 10 cases studied, the absence of MFA was an aggravating or determining factor in every attack.

Cost: 0 to 4,000 euros per year for 50 users (free with Microsoft 365, Google Workspace, or open-source solutions like Authelia)

Deployment time: 1 to 3 days

Impact: blocks 99.9% of unauthorized account access attempts (Microsoft Digital Defense Report 2024)

2. Isolate backups from the network

Lise Charmel, Clestra, Groupe Y: in every case, backups were accessible from the main network. The ransomware encrypted them along with everything else.

The 3-2-1 rule: 3 copies of your data, on 2 different media, with 1 offsite. The modern version adds a "0": 0 permanent network connection to the offsite copy.

Cost: 3,000 to 6,000 euros per year

Timeline: 1 to 2 weeks for setup, then automatic

3. Train employees through simulation, not PowerPoint

Theoretical training (e-learning, presentations) has a retention rate of under 15% at 6 months (Gartner 2025). Phishing simulation, combined with contextual micro-learning, reduces click rates from 33% to under 5% within 12 months (SANS Institute 2025).

The difference between the two approaches is documented in our comparison of cybersecurity training vs. phishing simulation.

Cost: 1,200 to 6,000 euros per year (2 to 10 euros per user per month)

Timeline: first campaign within 48 hours with nophi.sh

4. Segment the network

Network segmentation prevents ransomware that enters through the office network from spreading to production systems (Fleury Michon), medical systems (Dax Hospital), or accounting systems (Groupe Y).

In practical terms: separate the office network, the server network, the industrial/medical network, and the guest Wi-Fi into distinct VLANs. With strict firewall rules between each VLAN.

Cost: 2,000 to 5,000 euros (initial configuration by an IT provider, then maintenance included in the contract)

5. Write and test an incident response plan

When the attack arrives, the first 4 hours determine the extent of the damage. A formalized incident response plan clearly states:

  • Who is the crisis manager (with a phone number, not an email)
  • The first action: isolate compromised systems from the network (without shutting them down, to preserve evidence)
  • Who to contact: incident response provider, ANSSI (for critical infrastructure operators), Cybermalveillance.gouv.fr, the CNIL (within 72 hours if personal data is involved), the police (criminal complaint)
  • How to communicate with clients, suppliers, and the media

ANSSI provides a free cyber crisis management guide. Filling it out and testing it once a year with a tabletop exercise (2 hours with key decision-makers) is sufficient for an SME.

Cost: 2,000 to 4,000 euros (drafting with a provider + annual exercise)

The most exposed sectors (and why)

Not all sectors face equal cyber risk. Based on the cases studied and ANSSI statistics, here are the most heavily targeted sectors in France.

Manufacturing

This is the sector most targeted by ransomware in France. ANSSI has ranked it as the top victim since 2020. Lise Charmel (lingerie), Clestra (partitions), Fleury Michon (food manufacturing), MMA Emballages (packaging): 4 of the 10 cases are manufacturers.

Why? Because production shutdowns are very expensive, very fast. Attackers know this. A factory that is not running loses tens or hundreds of thousands of euros per day. The pressure to pay the ransom is at its peak.

And because IT/OT convergence (office IT / industrial IT) creates bridges between the office network and production systems. A phishing email that compromises an office workstation can - without segmentation - reach industrial control systems.

Retail

Camaieu, Nuxe: retail chains and B2C brands hold massive customer databases. These data sets have double value: for resale on the dark web, and for extortion through the threat of publication (under the GDPR, a data breach can cost a fine of 4% of annual revenue).

Retail also accumulates structural weaknesses: numerous points of sale with connected POS systems, store staff with limited digital training, e-commerce platforms exposed on the internet.

Construction

The attack on Bouygues Construction spotlighted the sector's vulnerabilities. Construction is digitizing rapidly (BIM, drones, on-site IoT) but investing little in the security of these new tools. SME subcontractors are the weakest link in the chain.

Healthcare

Dax Hospital, Eurofins, the Viamedis-Almerys breaches: the healthcare sector is under constant fire. Medical data is valuable, systems are old, and the duty of care gives attackers significant leverage.

Regulated professions (accountants, lawyers, notaries)

The Groupe Y case illustrates the risk. Professions that hold their clients' most sensitive data are damage multipliers: a single attack on one firm affects dozens or hundreds of client businesses.

The Conseil national des barreaux (France's national bar council) reported a 40% increase in cyber incidents declared by law firms between 2021 and 2023. Notary offices, which handle real estate transactions worth millions of euros, are prime targets for wire transfer fraud.

What the 10 cases teach us about phishing in 2026

Phishing has evolved. The phishing emails of 2020 - spelling mistakes, questionable formatting, improbable senders - bear little resemblance to the attacks of 2026.

AI has raised the quality of phishing emails

The Proofpoint State of the Phish 2025 and Hiscox Cyber Readiness Report 2025 converge on one finding: AI-generated phishing emails are more convincing, better translated, and more personalized than traditional phishing emails. Spelling mistakes, once the primary red flag, are no longer a reliable indicator.

The Hiscox Report 2025 indicates that 60% of companies consider AI-assisted social engineering the top emerging threat. And the Verizon DBIR 2025 notes a 150% increase in AI-generated phishing emails between 2023 and 2024.

For a French SME, this means phishing emails now arrive in flawless French (or English), referencing real suppliers, with plausible order numbers, and a professional tone indistinguishable from a legitimate email. Our article on new phishing forms in 2026 covers these developments in detail.

Targeted phishing (spear-phishing) has become affordable

Spear-phishing - once reserved for attacks on large enterprises because it required manual research on targets - has become accessible through automation. Attackers can:

  1. Scrape LinkedIn to identify employees, their roles, their colleagues
  2. Use AI to generate personalized emails from that information
  3. Send targeted emails across an entire SME within hours

This is what makes phishing simulations more important than ever. The only way to prepare your employees for sophisticated phishing emails is to confront them regularly with sophisticated phishing emails in a controlled environment.

Vishing and smishing complement email

Phishing is no longer limited to email. Phone-based attacks (vishing) and SMS-based attacks (smishing) have risen 300% since 2023 (Proofpoint). Voice deepfakes that mimic an executive's voice to order a wire transfer have moved from experimental to operational.

A comprehensive awareness program must cover all three channels: email, SMS, and phone. That is the subject of our article on quishing, vishing, and smishing.

Where to start Monday morning

You have read these 10 cases. You may be thinking that your company looks like Clestra, MMA Emballages, or Groupe Y. You have no MFA, your backups have never been tested, and your employees have never seen a simulated phishing email.

Here is a realistic action plan for the next 30 days.

Week 1: MFA

Enable MFA on Microsoft 365 or Google Workspace. It is free, takes a day to configure, and a day to communicate to the team. If you only do one thing, do this.

Week 2: Backups

Verify your backups. Not "I think we have some." Physically verify that a restoration works. Test restoring a full server. If it does not work, you will find out now - not on the day of the attack.

Set up offsite backups if you do not have them.

Week 3: First phishing simulation

Launch your first phishing simulation campaign. With nophi.sh, you can set up and send a first campaign in under an hour. Your first campaign click rate will probably be between 25% and 40%. That is normal. It is your starting point.

To prepare this first campaign properly, follow the practical phishing simulation guide.

Week 4: Response plan

Download ANSSI's cyber crisis management guide. Fill it in with your information (contacts, providers, procedures). Run a 2-hour tabletop exercise with your leadership team and your IT manager. Print emergency contacts and post them next to the server (yes, on paper - because on the day of the attack, your email will not work).

The following month: build structure

Get cyber insurance if you do not have it. Schedule an annual security audit. Set up a monthly phishing simulation program. Start working on network segmentation with your IT provider.

Total budget for the first month: 3,000 to 5,000 euros (most of it for offsite backups and the first month of the simulation platform). That is less than a single day of production downtime.

FAQ - Frequently Asked Questions

What percentage of cyberattacks target SMEs in France?

Small, medium, and mid-sized businesses account for 60% of cyberattacks handled by ANSSI (France's national cybersecurity agency) in 2024 (Panorama de la cybermenace 2025). That figure rises to 69% for ransomware attacks. SMEs are targeted because they have fewer resources to defend themselves and because they pay ransoms more often than large corporations.

What is the average cost of a cyberattack for a French SME?

According to Groupama (2025), the average cost of a cyberattack for a French small or mid-sized business is 466,000 euros, including direct costs (forensics, restoration, potential ransom) and indirect costs (lost revenue, lost customers, increased insurance premiums). For the cases documented in this article, costs range from 500,000 euros (Nuxe) to over 20 million euros (Manutan).

Is phishing really the top attack vector against SMEs?

Yes. Phishing is involved in 60% of cyberattacks according to the CESIN barometer 2026 (OpinionWay). The Verizon DBIR 2025 confirms that 74% of breaches involve a human factor. In 8 of the 10 cases detailed in this article, the attack started with a phishing email or credential compromise.

Can an SME go bankrupt because of a cyberattack?

Yes, and this is not theoretical. Lise Charmel was placed under court-supervised restructuring after a ransomware attack in 2020. Clestra Hauserman suffered the same fate in 2022. Camaieu was liquidated that same year. According to Hiscox (2022), 60% of SMEs hit by a major cyberattack go out of business within 18 months.

Does cyber insurance cover ransomware losses?

Partially. Insurance typically covers forensics costs, business interruption (subject to cap and deductible), and sometimes notification costs. It does not cover CNIL fines, reputational damage, or losses where the company failed to meet the policy's security prerequisites. The average deductible for an SME is 15,000 euros.

How much does basic cybersecurity protection cost for an SME?

A comprehensive program for 50 employees costs between 18,700 and 45,000 euros per year. That is between 4% and 8% of the average cost of a single attack (466,000 euros). The highest-ROI measures: MFA (free to 4,000 euros/year), offsite backups (3,000-6,000 euros/year), and phishing simulation (1,200-6,000 euros/year).

Conclusion: 10 cases, one lesson

Lise Charmel. Clestra Hauserman. Camaieu. Fleury Michon. Nuxe. Groupe Y. Manutan. MMA Emballages. Dax Hospital. Bouygues Construction.

Ten French companies. Ten attacks. One pattern: a phishing email, a click, no MFA, unusable backups, and panic.

The total documented damages in this article exceed 100 million euros. Hundreds of jobs lost. Decades of work destroyed.

And in every case, a basic cybersecurity program costing between 20,000 and 45,000 euros per year would probably have prevented the attack or limited the damage to a few days of inconvenience instead of months of crisis.

The question is not whether your SME will be targeted. The question is whether it will be ready when it happens. The 10 stories you just read show what happens when the answer is no.

Your first step: test your domain's email security in 30 seconds, for free. It is the first diagnostic to understand where you stand.

Related articles

The Real Cost of Ransomware in France: Hard Numbers, Case Studies, and Ground-Level Reality

A thorough breakdown of ransomware costs in France: direct expenses, operational losses, legal fees, reputational damage, and hidden costs. Case studies from Manutan, Sopra Steria, Saint-Gobain, CHSF, Lise Charmel, and Clestra.

Does Your Cyber Insurer Require Proof of Employee Training?

Cyber insurers now demand proof of security awareness training. How your training program lowers premiums and protects your claims.

What a Cyberattack Really Costs an SMB with 50 Employees

Detailed breakdown of the true cost of a cyberattack for a French SMB: direct costs, indirect costs, hidden costs, and comparison with the cost of prevention.