The 50 Largest Data Breaches in France (2020-2026)
From France Travail (43M) to Viamedis (33M), a complete inventory of the 50 most massive data breaches in France. Timeline, figures, affected sectors, and lessons for your business.
In March 2024, France Travail disclosed the compromise of data belonging to 43 million French citizens. Three weeks earlier, the dual Viamedis-Almerys hack had exposed the health data of 33 million people. Over six years, France has experienced an unprecedented surge in massive data breaches, hitting every sector: healthcare, telecommunications, retail, public services, and finance.
This article catalogs and analyzes the 50 most serious data breaches in France between 2020 and 2026. Each incident is documented with hard numbers, the attack vector used, and the consequences. The goal: a factual overview of the threat so that every executive, IT manager, and security officer can measure the scale of the risk and take action.
All data in this article is sourced from our French cyber incident database, which you can search and filter in real time.
The scale of breaches in numbers
Before examining each incident, here are the headline figures that define France's current data crisis.
| Indicator | Figure | Source |
|---|---|---|
| Breach notifications received by CNIL in 2023 | 4,668 | CNIL Annual Report 2023 |
| Year-over-year increase in notifications | +14% | CNIL Annual Report 2023 |
| Individuals affected by the two largest breaches of 2024 | 76 million | France Travail + Viamedis-Almerys |
| Average cost of a data breach in France | 4.3M euros | IBM Cost of a Data Breach 2025 |
| Share of breaches involving the human factor | 74% | Verizon DBIR 2025 |
| CNIL fines issued in 2023 | 89.2M euros | CNIL Sanctions Report 2023 |
These numbers confirm a straightforward reality: data breaches are no longer exceptional events in France - they are a statistical certainty. The question is no longer "if" but "when."
The 10 largest breaches (by number of individuals affected)
1. France Travail - 43 million people (March 2024)
The largest personal data theft in French history. Attackers compromised the credentials of Cap Emploi advisors to access the central France Travail (formerly Pole emploi) database. 43 million current and former job seekers (dating back to 2000) had their data exposed: names, dates of birth, Social Security numbers, France Travail identifiers, email and postal addresses, and phone numbers.
The attack was made possible by the absence of two-factor authentication on advisor accounts and a centralized database architecture with no segmentation. Three suspects aged 22 to 24 were arrested.
Lesson: multi-factor authentication (MFA) is not optional. For 43 million people, a single compromised password was all it took.
2. Viamedis and Almerys - 33 million policyholders (February 2024)
Two third-party payment operators, Viamedis and Almerys, were hacked within five days of each other. The data of 33 million health insurance beneficiaries was compromised: civil status, date of birth, Social Security number, insurer name, and supplementary health coverage details.
The entry vector: healthcare professionals' accounts compromised via phishing, then used to access the third-party payment management portals. The attack is a textbook illustration of supply chain risk - neither the insurers nor the policyholders were directly attacked, but an intermediary vendor exposed the data of half the French population.
Lesson: the security of your data depends on the security of your vendors. Auditing your partners' email configuration is a concrete first step.
3. Free Mobile - 19.2 million customers (October 2024)
Telecom operator Free confirmed the theft of data belonging to 19.2 million customers, including the IBANs of 5 million Freebox subscribers. Names, addresses, dates of birth, emails, phone numbers, and subscription details were put up for sale on a cybercrime forum. The attacker used compromised access to an internal management tool.
4. Fnac-Darty - 15 million customers (October 2024)
The Fnac-Darty group confirmed an intrusion into an after-sales service tool that potentially exposed the data of 15 million customers: identities, addresses, emails, and order details. The breach came through an external contractor's account with access to the after-sales system.
5. SFR - 3.6 million customers (September 2024)
SFR notified CNIL of a breach affecting 3.6 million customers: names, contact details, and contract numbers. For some customers, IBANs and IMSI phone numbers were also exposed. Access was gained through an order management tool.
6. Boulanger - 2 million customers (September 2024)
Home appliance retailer Boulanger suffered a breach affecting 2 million customers: names, addresses, emails, and phone numbers. Delivery data (full addresses) was particularly exposed, raising the risk of targeted burglaries.
7. Orange - 1.3 million customers (January 2014)
Although this predates our 2020-2026 window, this breach earns its place through sheer scale. 1.3 million customers were affected in an initial intrusion, followed by another 800,000 three months later. It was one of the first major breaches in French digital history.
8. Conforama - 1 million customers (November 2023)
The furniture retailer suffered a massive breach: names, addresses, emails, and purchase histories of approximately 1 million customers were published on a cybercrime forum.
9. Domino's Pizza France - 592,000 customers (June 2014)
The Rex Mundi group hacked the Domino's Pizza France and Belgium databases, stealing 592,000 customer records. The hackers attempted to extort 30,000 euros by threatening to publish the data. When Domino's refused to pay, they released the entire database online.
10. Cultura - 2 million accounts (September 2024)
Bookstore and media chain Cultura saw the data of 2 million customer accounts exposed through the compromise of an IT vendor shared by several retailers. The breach included names, addresses, emails, and order histories.
Healthcare under fire
Healthcare has become the preferred target for cyberattackers in France. Medical records are worth up to 250 euros per file on the black market (Ponemon Institute) - 50 times more than a credit card number. Here are the most significant incidents.
Hospitals paralyzed by ransomware
2021 was catastrophic for French hospitals, with a wave of ransomware attacks:
- Dax Hospital (February 2021) - Ransomware that shut down the entire IT system. Staff reverted to paper, patients were transferred, and surgeries were postponed. Weeks of rebuilding followed.
- Villefranche-sur-Saone Hospital (February 2021) - Hit by Ryuk just days after Dax. Phone systems, email, and clinical applications all went down.
- Oloron Hospital (March 2021) - Ransomware encrypted shared drives and email. Electronic prescriptions were blocked.
- Arles Hospital (August 2021) - Vice Society ransomware. Systems completely shut down, reversion to paper, patient transfers.
The series continued in 2022 and 2023:
- Centre Hospitalier Sud Francilien, Corbeil-Essonnes (August 2022) - LockBit 3.0 ransomware, 10 million dollar ransom demand. 700,000 patients potentially affected. Medical data was published on the dark web after the hospital refused to pay.
- Rennes University Hospital (CHU) (June 2023) - Attack that forced a full IT system switchover. The emergency department had to operate in degraded mode.
- Versailles Hospital (CH) (December 2022) - Ransomware that forced the postponement of consultations and surgeries. ANSSI (France's national cybersecurity agency) was called in.
- Ajaccio Hospital (March 2023) - Complete IT paralysis, degraded mode operations for several weeks.
- Simone Veil Hospital, Cannes (April 2024) - The latest major attack, confirming that the threat shows no sign of easing.
Ramsay Sante: 120 facilities hit simultaneously (August 2019)
Private hospital group Ramsay Sante, which operates 120 facilities in France, was struck by ransomware that disabled email and clinical applications across the entire group. The attack exposed the vulnerability of private healthcare groups whose infrastructure is shared.
The dual Viamedis-Almerys hack: the healthcare supply chain
As detailed above, the February 2024 attack against the two third-party payment operators proved that supply chain security is the Achilles' heel of the French healthcare system. Healthcare professionals' accounts compromised via phishing were enough to expose the data of 33 million people.
Learn more: see our detailed article on cyberattacks against French hospitals (coming soon).
The public sector: local governments and national agencies
French local governments have become regular targets since 2020. Limited budgets, aging IT systems, and sensitive data (civil records, social benefits) make them ideal prey.
Major local governments affected
- City of Marseille (March 2020) - Ransomware on the eve of municipal elections. Systems paralyzed, civil records inaccessible.
- City of Angers (January 2021) - Digital services shut down for weeks: after-school registrations, civil records, online services.
- Seine-et-Marne Department (November 2022) - Entire infrastructure compromised. Months of rebuilding.
- City of Caen (September 2022) - Ransomware encrypted part of the IT system. Citizen services disrupted.
- Alpes-Maritimes Department (November 2022) - 280,000 files stolen, residents' personal data published on the dark web.
- Guadeloupe Region (November 2022) - Regional government paralyzed, benefit payments blocked for weeks.
- City of Lille (March 2023) - Royal ransomware impacting municipal services.
- Ardennes Departmental Council (October 2023) - Social welfare payments (RSA, APA), social aid, and civil records disrupted.
- Loiret Department (November 2024) - One of the most recent examples of a local government being hit.
France Travail: the central administration
The attack on France Travail (March 2024) remains the landmark case. But the former Pole emploi had already been hit in August 2023 via the MOVEit vulnerability, with 10 million job seekers potentially affected by the Cl0p group.
Retail: a hemorrhage of customer data
2024 was a devastating year for French retail. Within a few months, a string of breaches hit major chains, often through the compromise of shared IT vendors.
| Retailer | Date | Customers affected | Vector |
|---|---|---|---|
| Fnac-Darty | Oct. 2024 | 15,000,000 | Compromised after-sales vendor |
| Boulanger | Sept. 2024 | 2,000,000 | Compromised IT vendor |
| Cultura | Sept. 2024 | 2,000,000 | Compromised IT vendor |
| Conforama | Nov. 2023 | 1,000,000 | Unauthorized access |
| Picard | Oct. 2024 | Not disclosed | Credential stuffing |
| Auchan | Nov. 2024 | Not disclosed | Unauthorized access |
| Norauto | Nov. 2024 | 78,000 | Compromised management tool |
| Truffaut | Sept. 2024 | Not disclosed | Unauthorized access |
| LDLC | Dec. 2022 | Not disclosed | Ragnar Locker ransomware |
| Intersport | Dec. 2022 | Not disclosed | Hive ransomware |
| Kiabi | Jan. 2025 | 20,000 | Credential stuffing |
A recurring theme across several of these incidents: the compromise of an IT vendor that serves multiple retailers at once. Boulanger, Cultura, and potentially other chains were breached through the same vulnerability at a shared subcontractor.
Lesson: security does not stop at your company's front door. Your vendors, suppliers, and business partners are all potential entry points.
Telecommunications: millions of French citizens exposed
The telecom sector has been hit especially hard, with massive volumes of data at stake:
- Free Mobile (October 2024) - 19.2 million customers, including 5 million IBANs
- SFR (September 2024) - 3.6 million customers
- La Poste Mobile (July 2022) - Customer data exposed after a ransomware attack
- Bouygues Telecom (March 2023) - 200,000 customers via a compromised partner
- Orange (January 2014) - 1.3 million then 800,000 customers
With the French telecom market concentrated among four major operators, every single breach affects a huge share of the population.
Industry and strategic enterprises
French industrial and strategic companies have not been spared. Attackers target intellectual property, business data, and operational continuity.
- Saint-Gobain (June 2017) - Collateral victim of the NotPetya malware. 250 million euros in declared losses, one of the costliest incidents in history.
- Renault (May 2017) - WannaCry forced the automaker to shut down several production sites.
- Altran Technologies (January 2019) - LockerGoga ransomware paralyzed the global network of the engineering consultancy.
- Bouygues Construction (January 2020) - Maze ransomware with exfiltration of internal data.
- CMA CGM (September 2020) - The shipping giant hit by Ragnar Locker ransomware. Customer-facing systems taken offline.
- Sopra Steria (October 2020) - A top-tier IT services firm struck by Ryuk. Estimated cost: 40 to 50 million euros.
- Pierre Fabre (March 2021) - REvil paralyzed this pharmaceutical group with 4 billion euros in annual revenue. Ransom demand: 25 million dollars.
- Manutan (February 2021) - DarkSide inflicted an estimated 20 million euros in damages on the industrial supplies distributor.
- Schneider Electric (January 2024) - Internal data stolen via the MOVEit vulnerability by Cactus ransomware.
- Airbus (September 2023) - 3,200 supplier contacts exposed through the compromise of a partner (Turkish Airlines).
- Thales (November 2022) - The defense group targeted by LockBit 3.0 with publication of internal data.
The Saint-Gobain case: 250 million euros in losses
Saint-Gobain remains the costliest documented incident in France. A collateral victim of NotPetya (a Russian malware originally targeting Ukraine), the company saw its production, logistics, and billing systems paralyzed on a global scale. The total declared cost of 250 million euros includes lost revenue, systems rebuilding, and the impact on the production chain. A brutal lesson in how geopolitical risks can strike any connected business.
The heaviest CNIL fines
Beyond data breaches, CNIL (France's data protection authority) also sanctions GDPR violations related to data protection. Here are the largest fines handed down in France.
| Company | Amount | Year | Reason |
|---|---|---|---|
| 150M euros | 2022 | Cookies: rejecting not as easy as accepting | |
| Facebook (Meta) | 60M euros | 2022 | Cookies: no simple way to refuse |
| Microsoft | 60M euros | 2022 | Advertising cookies without consent on Bing |
| Amazon | 35M euros | 2023 | Excessive employee surveillance |
| Criteo | 40M euros | 2023 | Data processing without valid consent |
| Clearview AI | 20M euros | 2022 | Mass collection of photos without consent |
| Uber | 10M euros | 2024 | Inadequate data protection measures |
| TikTok | 5M euros | 2023 | Cookies: rejecting not as easy as accepting |
| Carrefour | 3M euros | 2020 | Excessive data retention, insufficient information |
| Dedalus Biologie | 1.5M euros | 2022 | Medical data leak affecting 500,000 patients |
The trend is clear: fines are increasing year after year, and CNIL is expanding its enforcement scope. SMBs are not exempt - Dedalus Biologie, a mid-sized company, received a 1.5 million euro fine after a medical data leak affecting 500,000 patients.
Media and services: a wide range of targets
The media and services sector has also been hit by high-profile attacks:
- TV5Monde (April 2015) - The most dramatic attack: all 12 channels taken off the air by APT28 (Fancy Bear). Months of rebuilding.
- Lagardere (September 2020) - Maze ransomware with exfiltration of internal data.
- Canal+ (March 2024) - Subscriber data leaked through a compromised vendor.
- Mediapart (March 2023) - Massive DDoS attack coinciding with sensitive investigative reporting.
- Molotov TV (October 2024) - Customer data exposed after an intrusion.
Finance and insurance
The financial sector, despite heavy cybersecurity investment, is not immune:
- Banque de France (2023) - Targeted phishing campaign using fake Banque de France emails.
- BPCE (October 2024) - Customer data compromised via a management tool.
- Credit Agricole (2024) - Customer data leak at a subsidiary.
- MMA Assurance (July 2020) - Ransomware that paralyzed the insurer for several days.
- AXA Partners (May 2021) - Avaddon ransomware, 3 terabytes of data exfiltrated including medical reports and bank statements.
- MAIF (June 2024) - Breach via an external vendor.
- Groupe Vyv (October 2023) - Mutual insurer hit by a cyberattack with data theft.
Hacked SMBs: the cases that never make the news
The major breaches grab headlines, but thousands of SMBs are hacked every year with no media coverage. A few documented examples:
- Clestra Hauserman (May 2022) - An industrial SMB in Alsace forced into judicial restructuring after a ransomware attack. The attack was one of the determining factors in the company's collapse.
- Camaieu (2022) - Already financially weakened, the women's clothing chain suffered a cyberattack that accelerated its liquidation.
- Lise Charmel (November 2019) - The Lyon-based lingerie manufacturer was placed in judicial restructuring after a ransomware attack. The company refused to pay the ransom and spent months rebuilding its IT systems.
What these three cases have in common: ransomware directly contributed to the company's financial failure. For an SMB with no cash reserves, weeks of paralysis can be fatal.
Learn more: What does a cyberattack cost a 50-person SMB?
Timeline of major breaches (2019-2026)
To visualize how the threat has accelerated, here is a timeline of the most significant incidents:
2019
- August: Ramsay Sante (120 facilities, ransomware)
- November: Lise Charmel (ransomware leading to judicial restructuring)
- November: Rouen University Hospital (ransomware)
2020
- January: Bouygues Construction (Maze ransomware)
- March: City of Marseille (ransomware before elections)
- July: MMA Assurance (ransomware)
- September: CMA CGM (Ragnar Locker)
- October: Sopra Steria (Ryuk, 40-50M euros)
2021
- February: Dax and Villefranche hospitals (Ryuk)
- February: Manutan (DarkSide, 20M euros)
- March: Pierre Fabre (REvil, 25M dollars demanded)
- May: AXA Partners (Avaddon, 3 TB exfiltrated)
- August: Arles Hospital (Vice Society)
2022
- August: Centre Hospitalier Sud Francilien, Corbeil-Essonnes (LockBit, 10M dollars demanded)
- November: Alpes-Maritimes and Seine-et-Marne Departments
- November: Guadeloupe Region (ransomware)
- December: LDLC, Intersport (ransomware)
- CNIL: Google 150M euros, Facebook 60M euros, Microsoft 60M euros
2023
- March: City of Lille (Royal ransomware)
- March: Aix-Marseille University (ransomware)
- June: Rennes University Hospital
- August: Pole emploi / MOVEit (10 million)
- November: Conforama (1 million), ORPEA
- CNIL: Amazon 35M euros, Criteo 40M euros
2024
- January: Schneider Electric (Cactus ransomware)
- February: Viamedis-Almerys (33 million)
- March: France Travail (43 million)
- September-November: retail wave - Free (19.2M), Fnac-Darty (15M), SFR (3.6M), Boulanger (2M), Cultura (2M), Picard, Auchan, Norauto, Truffaut
2025
- January: Kiabi (credential stuffing, 20,000 accounts)
The trend is undeniable: volumes are growing, attacks are becoming more professionalized, and the range of affected sectors keeps widening.
The dominant attack vectors
Analyzing these 50+ incidents reveals recurring patterns:
1. Phishing and credential theft (the #1 vector)
The majority of large-scale breaches begin with a compromised user account: phishing, credential stuffing, or password reuse. Viamedis-Almerys, France Travail, Free Mobile - every time, legitimate credentials were hijacked.
What you can do: train your teams to recognize phishing attempts. Regular simulations reduce click rates from 33% to under 5%.
2. The supply chain (35% of breaches according to CESIN)
Boulanger, Cultura, Fnac-Darty, Airbus, Viamedis - in all these cases, the victim company was not directly attacked. It was a vendor, subcontractor, or business partner that was compromised.
3. Ransomware (paralysis + exfiltration)
Modern ransomware no longer stops at encrypting data - it exfiltrates the data before encrypting it, creating double extortion. Corbeil-Essonnes hospital, Sopra Steria, Pierre Fabre, Manutan - all saw data published on the dark web after refusing to pay.
4. Exploitation of vulnerabilities (MOVEit, Log4j)
Zero-day or unpatched vulnerabilities in third-party software are a growing vector. The MOVEit flaw (CVE-2023-34362) hit Schneider Electric, Pole emploi, and Casino via the Cl0p group.
How to protect your business
Faced with this reality, protection rests on four complementary pillars:
Pillar 1: Technical security
- Mandatory MFA on all accounts (the France Travail lesson)
- Network segmentation to limit lateral movement
- Data encryption at rest and in transit
- Tested backups disconnected from the main network
- Secure email configuration: SPF, DKIM, DMARC - test your domain for free
Pillar 2: Employee training
The human factor is involved in 74% of breaches (Verizon DBIR 2025). Training is not a luxury - it is an operational necessity.
- Monthly phishing simulations
- Micro-learning modules triggered by simulation failures
- A clear, accessible reporting protocol
Launch your first phishing simulation - set up in 15 minutes.
Pillar 3: Third-party management
- Audit your vendors' security before entrusting them with your data
- Require MFA and encryption in contracts
- Limit access to the strict minimum (principle of least privilege)
Pillar 4: Incident response planning
- CNIL notification within 72 hours (GDPR requirement)
- Crisis communication prepared in advance
- Forensics: identify the vector, scope, and compromised data
- File a criminal complaint within 72 hours (required under France's LOPMI law for insurance coverage)
Conclusion: data breaches are the #1 risk
Between 2020 and 2026, France has experienced an unprecedented acceleration in data breaches. Over 100 million personal data records were compromised in the France Travail, Viamedis-Almerys, and Free Mobile incidents alone. Hospitals were paralyzed, SMBs went bankrupt, and CNIL handed out hundreds of millions of euros in fines.
The good news: effective defenses exist and are within reach. MFA, employee training, vendor audits, and an incident response plan do not require a multinational's budget. They require commitment and a structured approach.
Explore our complete French cyber incident database - over 100 documented incidents, filterable by year, sector, and attack type.
Your first concrete step: test your domain's email security in 30 seconds. It is free, instant, and will tell you immediately whether your company is vulnerable to phishing and email spoofing.