A 21-year-old man suspected of conducting approximately 100 data breaches since late 2025 - including a hack of the French Ministry of National Education that exposed records on almost a quarter of a million employees - has been arrested at his home in western France. Read more in my article on the Hot for Security blog.

French police arrest HexDex hacker, a 20-year-old suspect accused of mass data theft and leaks targeting government, sports groups, and firms.

The ANTS data breach has brought renewed attention to data security risks in France’s public sector after authorities confirmed a security incident affecting the ants.gouv.fr portal. The breach was detected on April 15, 2026, by the National Agency for Secure Documents and may have led to the exposure of personal data linked to both individual and professional accounts. According to initial findings, the compromised data includes identification details such as login IDs, names, email addresses, dates of birth, and unique account identifiers. In some cases, additional information such as postal addresses, place of birth, and phone numbers may also be involved. Affected users are being notified directly as investigations continue.

ANTS Data Breach Limited in Scope But Raises Phishing Risks

Authorities have clarified that the ANTS data breach does not involve documents submitted during administrative procedures, including uploaded attachments. The exposed data also cannot be used to directly access user accounts on the portal. However, the nature of the data still presents potential risks. Personal identifiers can be leveraged in targeted phishing campaigns or identity misuse attempts. Users have been advised to remain cautious when receiving unsolicited emails, calls, or messages claiming to be from official sources. The agency also warned that any attempt to distribute or sell data presented as originating from ANTS would be considered illegal.

Regulatory Response and Investigation Underway

In line with regulatory requirements, the ANTS data breach has been reported to the National Commission for Information Technology and Civil Liberties under Article 33 of the General Data Protection Regulation. A separate report has been submitted to the Paris Public Prosecutor under Article 40 of the French Code of Criminal Procedure to support a formal investigation. The National Cybersecurity Agency of France has also been notified and is working alongside ANTS to determine the origin, timeline, and full scope of the incident. Technical investigations are ongoing, with authorities focusing on how the breach occurred and whether additional systems were affected. Security measures have already been reinforced to protect user data and ensure service continuity on the platform.

EduConnect Cyberattack Shows How Identity Misuse Enables Access

The ANTS data breach follows closely on the heels of another incident involving France’s education systems. A cyberattack targeting the EduConnect platform stemmed from the impersonation of an authorized staff account in late 2025. Attackers exploited a vulnerability in a connected student account management service shortly before it was patched. This allowed unauthorized access to student data, including names, login identifiers, class information, and in some cases email addresses and activation codes. Investigations later confirmed that the scope extended beyond the initially targeted institution. In response to EduConnect cyberattack, the ministry reset access codes for unactivated accounts, blocked compromised credentials, and introduced two-factor authentication. A crisis response team was also activated, and access to the affected service was temporarily suspended. The case highlights how compromised credentials can be used to bypass controls without triggering immediate detection.

FICOBA Breach Exposed Financial Data Through Stolen Credentials

Earlier this year, another major France data breach involved the FICOBA database, a centralized registry that tracks all bank accounts in the country. The FICOBA breach affected approximately 1.2 million accounts after an attacker used stolen credentials belonging to a government official. Managed by the Directorate General of Public Finances, FICOBA contains highly sensitive data, including IBAN numbers, account holder identities, and addresses. The attacker accessed the system through legitimate channels, allowing queries to be made without raising immediate alerts. Authorities detected the intrusion in late January 2026 and moved quickly to restrict access and limit further data extraction.

ANTS Data Breach Reflects Broader Challenges in Data Protection

The ANTS data breach adds to a growing list of incidents affecting public sector systems in France. While the breach appears limited in terms of direct impact, it highlights ongoing challenges in managing personal data securely. Across recent cases, a consistent pattern is emerging. Attackers are not relying solely on traditional exploits. Instead, they are leveraging identity compromise, timing vulnerabilities, and gaps in monitoring to gain access to sensitive systems. French authorities have responded with notifications, investigations, and enhanced safeguards. However, these incidents reinforce the need for stronger controls around identity management, access monitoring, and data minimization. As investigations into the ANTS data breach continue, the findings are likely to shape how public sector platforms in France approach both security and user data protection going forward.

A hacker accessed data from 1.2 million French bank accounts using stolen official credentials, the Economy Ministry said.

A hacker gained access to data from 1.2 million French bank accounts using stolen credentials belonging to a government official, according to the French Economy Ministry. French authorities said affected account holders will be notified in the coming days.

“The French Economy Ministry said on Wednesday, February 18, that a hacker gained access to a national bank account database and consulted information on 1.2 million accounts.” reports French daily newspaper LeMonde. “Since the end of January, the hacker used the stolen credentials of an official to access and consult “parts of the file of all of the accounts open in French banks and which contains personal data such as bank account numbers, name of the account holder, address and in certain cases the account owner’s tax number,” the ministry said in a statement.”

France’s Public Finances chief said the security breach did not allow access to account balances or transactions. After detecting the intrusion, the ministry immediately blocked the threat actor and acted to prevent any data from being removed.

Authorities filed a criminal complaint and notified the CNIL, France’s data protection authority, about the incident.

The Economy Ministry has not yet disclosed the hacker’s motivation. It remains unclear whether the attacker is a nation-state actor or a cybercriminal.

In December, a major cyber incident knocked offline the information systems at the French national postal service La Poste. The attack disrupted digital banking and online services for millions of customers.

The outage followed another cyberattack on France’s Interior Ministry, where a suspected hacker accessed sensitive police data; a 22-year-old was detained. The French Interior Minister Laurent Nunez announced that threat actors compromised email servers at the Ministry of the Interior.

The attack was detected overnight between December 11 and 12, and according to the French interior minister, attackers gained access to some document files, though data theft remains unconfirmed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, French bank accounts)