45 million lives at risk: the massive data breach that turns every French citizen into a potential target

When the Pieces Come Together

Taken separately, each of these datasets would already be problematic. But their danger lies in their combination. That’s when everything changes. Imagine: you have a name, an address, and a date of birth. That’s already concerning. Now add an IBAN. You now know where this person lives, when they were born, and where their money is. Add their medical profession. You know what they do, you can estimate their income, and you know where they work. Add their license plate number and insurance information. You know what kind of vehicle they drive and how they’re insured. Add their spending habits from the CRM. You know what they buy, where they travel, and what services they use. This is no longer just a file. It’s a map of a life.

Cybercriminals can create extremely precise profiles. They can build detailed identity graphs—those complex representations that link a person to all their digital attributes. With this information, they can launch targeted phishing campaigns—those email or text message scams that seem legitimate because they contain accurate personal information. “Hello, Marie Dupont,” the message begins. “We’ve detected suspicious activity on your FR76 account…” And the rest of the IBAN follows. You don’t click? They also know you drive a Peugeot 308 with license plate 123 AB 75, insured by Company X. “Hello,” the message continues. “Your car insurance is about to expire…” It sounds real. It sounds legitimate. It’s believable. It’s dangerous.

How long will it take before someone loses everything? Before an elderly, isolated person receives a convincing call asking them to confirm their identity, and all their savings vanish with a single click? Before a family falls victim to identity theft that will take years to resolve? Before a healthcare professional sees their reputation destroyed by fraudulent accusations? The data is out there. It’s been leaked. It can’t be taken back. It’s like spilling a glass of water on an absorbent table. You can wipe it up, but the stain remains. The water has seeped in. The damage is done. Who’s going to pay for this? Not the data broker. Not the companies that failed to protect their files properly. It’s us. Always us. The victims. The vulnerable. Ordinary people.

Social Engineering in the Age of Data

Social engineering—the psychological manipulation that involves deceiving people to obtain sensitive information—becomes terrifying when it has these resources at its disposal. Put simply: lying with precision. Attackers no longer have to improvise. They no longer need to guess. They know. They know your name. They know where you live. They know what you do. They know roughly how much you earn. They know what kind of car you drive. They can create highly targeted scam scenarios. Are you a doctor? They can impersonate the Medical Board. Are you insured with Company X? They can pretend to be a representative of that company. Do you live at a certain address? They can pretend to be local public utilities.

Massive phishing campaigns are becoming “sniper” campaigns. Instead of sending millions of generic emails and hoping that 0.1% of people will click, criminals can send thousands of personalized emails, each containing information specific to its recipient. The success rate skyrockets. And it’s not just phishing. It’s also outright identity theft. With this data, someone can create a credible fake identity. Take out a loan in your name. Open accounts. Order goods. Commit fraud. And you might not even know about it for months—until a bailiff knocks on your door. Until your bank freezes your accounts. Until your life is, quite literally, put on hold.

Imagine for a moment. You come home from work, tired. You turn on your computer to check your bank account. You want to see if your paycheck has come in. Instead, you see unfamiliar debits. Thousands of euros. Tens of thousands. You call your bank. They tell you: You made those transfers. You say: No. They say: Yes, using your login credentials. You say: I never did that. They barely believe you. You spend hours on the phone. Days. Weeks trying to prove that you are who you say you are. That you didn’t steal your own money. It’s a nightmare. It’s paralyzing. This is the reality that could potentially await thousands—perhaps millions—of French people in the coming months. And no one can tell you if you’ll be the next victim.

France Under Cyber Siege

This data breach is part of a troubling series of cyber incidents affecting France in recent months. In December 2025, attackers boasted of having gained access to the Ministry of the Interior—the Beauvau, the very heart of French domestic security. They compromised several sensitive systems. The ministry confirmed the attack. The police even arrested a suspect. But the damage was already done. In November, the French division of Eurofiber, a major telecommunications operator, suffered a data breach. Customer information was exfiltrated. In late 2025, two French universities—the University of Lille and the Grenoble School of Management—were targeted. Student data was compromised.

And now this composite database of 45 million records. France seems to be under cyber-siege. Every week, a new attack. Every month, a new leak. French organizations are enduring an unprecedented wave of cyberattacks. The causes vary: negligence, incorrect configuration, poorly protected servers, unpatched security vulnerabilities. But the result is always the same: our data is leaking out. Our lives are leaking out. Our privacy is scattered across the digital landscape, accessible to anyone who knows where to look. The authorities are trying to respond. The CNIL, the National Commission for Information Technology and Civil Liberties, is imposing fines. Free Mobile and Free were ordered to pay $49 million following a major data breach in 2024. But is that enough?

I feel like we’re losing a war without even realizing it. Not a military war. A war for our privacy. A war for our right to exist without being monitored, categorized, or commodified. Every leak is a lost battle. Every attack is a step backward. We’re told to be careful. We’re told to change our passwords. We’re told to be vigilant. But that’s no longer enough. It’s never been enough. The system is broken. The business model is broken. As long as our personal data is worth money, as long as it’s a commodity, there will be criminals to steal it, brokers to sell it, and companies to exploit it. It’s an extraction economy. Our privacy is extracted just as oil is extracted. And when the well runs dry, they move on to the next one.

Penalties, but No Solution

An institutional response does exist, but it seems insignificant given the scale of the problem. The CNIL has the power to impose penalties—and it uses that power. The $49 million fine imposed on Free Mobile and Free is significant; it is one of the largest penalties ever handed down in France for a data breach. The incident affected 15 million customers. The data included names, addresses, phone numbers, and IBANs—personal and financial information. But the fine merely punishes after the fact. It does not protect. It does not prevent. It penalizes negligence, but does not change the system that made that negligence possible.

The structural problem remains intact: companies accumulate massive amounts of personal data, often without any real need. They store it, sometimes for years. They protect it poorly. They transfer it without taking precautions. And when a breach occurs, they apologize, they promise to improve their security, and they pay a fine if they’re caught. But the data is gone. It doesn’t come back. The victims, however, remain vulnerable. A fine can hurt a company. But it doesn’t repair a life ruined by identity theft. It doesn’t bring relief to an elderly person who’s been scammed out of their life savings. It doesn’t restore the reputation of a healthcare professional whose data has been compromised.

I’m tired of excuses. Tired of press releases that express “deep regret.” Tired of promises of improvement. Tired of penalties that come too late. What we need is radical change. We need to completely rethink the relationship between companies and our data. Why does a company need to store my IBAN for ten years? Why does a bank have to keep a record of all my transactions going back to the beginning of time? Why does an e-commerce site have to keep my address and my purchasing habits indefinitely? The principle of data minimization exists in the GDPR, the General Data Protection Regulation. But in practice, it’s ignored. Data is accumulated out of habit, greed, and an inability to imagine an alternative business model. And we, the people, are the ones paying the price.

Living with the Shadow

The server has been secured. The database is no longer publicly accessible. That’s good news. But it’s also a false victory. The potential damage has already been done. We don’t know how many people accessed those 45 million records before they were taken down. We don’t know how many copies were made. We don’t know where that data is now. Perhaps it’s already on the dark web. Perhaps it’s already being sold. Perhaps it’s already being used to set up scams. Uncertainty is worse than certainty. At least if we knew exactly who has what, we could take action. But right now, we know nothing. We’re in the dark. We wait. We hope nothing will happen. It’s a constant source of anxiety.

For the 45 million French people potentially affected, life goes on, but with a shadow hanging over it. Every suspicious email takes on a new meaning. Every unknown call becomes a potential threat. Every unusual request for information must be scrutinized with suspicion. Caution must become a constant reflex. Check URLs. Never provide personal information over the phone or by email without absolute certainty. Monitor your bank accounts regularly. Enable security alerts. Use unique passwords. Enable two-factor authentication. These recommendations are standard. They’re also crucial. But they’re also exhausting. Living in a constant state of alert means living in fear. It means accepting that our privacy has been violated and that we must now defend ourselves on our own.

Marie still hasn’t slept well since Monday. She checks her bank account three times a day. She’s changed all her passwords. She’s set up two-factor authentication everywhere. She knows it’s probably pointless. That her data is already gone. That the scam, if it happens, might happen in six months, maybe in a year, maybe never. She knows she can no longer trust anyone. That her IBAN, her address, her profession, her car—everything that defines her—is now in the hands of strangers. She feels exposed. Violated. Not physically. But digitally. And what’s killing her is that she’s nothing special. She’s not a target. She’s just a statistic. One among 45 million. A life turned into data. An existence reduced to a few lines in a database sold to the highest bidder. Forty-five million lives. Forty-five million stories. Forty-five million shadows. And I ask myself: How many Marias will lose everything before we decide, collectively, that enough is enough? How many lives must be shattered before we reject this system that turns us into commodities? How many times are we going to accept the unacceptable?

I am not a journalist, but a columnist. I am an analyst and observer of the technological and societal dynamics that shape our digital world. My work consists of dissecting security vulnerabilities, understanding the mechanisms of cybercrime, and anticipating the risks we collectively face. I do not claim to possess the dispassionate objectivity of traditional journalism. I strive for clarity, sincere analysis, and a deep understanding of the issues that affect us all.

This text respects the fundamental distinction between verified facts and interpretive commentary. The factual information presented in this article comes from official and verifiable sources, including reports by Cybernews researchers, articles from Journal du Geek, 01Net, and Generation NT, as well as statements released by the relevant authorities. The analyses and interpretations presented here represent a critical synthesis based on the available information. My role is to interpret these facts, contextualize them, and make sense of them. Any subsequent developments could alter the perspectives presented here.