French Rugby Hit by Major Data Leak as Hacker Puts 948 ID Cards Up for Sale

France’s national rugby federation says it’s scrambling after a phishing-driven cyberattack exposed personal data tied to tens of thousands of registered players, and a hacker is now trying to cash in by selling a trove that allegedly includes 948 government ID cards.

The French Rugby Federation, known as the FFR, estimates 50,000 to 60,000 members may be affected. But the attacker is claiming a far bigger haul, up to 530,000 federation files, raising urgent questions about what was actually stolen and how widely it could spread.

The most alarming claim: nearly 1 million player photos, including images of minors, along with administrative and sports-related records. French regulators have been notified, the federation says, and some online services have been temporarily shut down as investigators try to contain the damage.

A phishing campaign, not a “Hollywood hack,” may have opened the door

The FFR says the breach traces back to phishing, scam emails, texts, or phone calls designed to trick members into handing over login credentials. The federation has emphasized it has no evidence of a direct break-in to its core systems, but compromised accounts can still provide broad access if permissions are too generous.

In response, the federation says it has moved into emergency mode: suspending some services, tightening access controls, resetting passwords, and adding extra security measures. For clubs and players, that can mean portals going dark, slower access, and administrative tasks on hold while the federation checks who logged in, when, and from what device.

The FFR is also pushing a blunt reminder: it will never ask for your password. That message matters in a volunteer-heavy sports ecosystem where coaches, parents, and club administrators often handle paperwork quickly, and where a realistic-looking “license renewal” request can slip through.

How big is the leak? The federation cites 50,000–60,000 people; the hacker claims 530,000 files

The numbers are still moving, and that uncertainty is part of the problem. The hacker’s claim of 530,000 files roughly matches the scale of a full federation database. Early assessments circulating around the case, point to a confirmed impact on 50,000 to 60,000 individuals.

Investigators now face the central question in breaches like this: what was truly exfiltrated versus what’s being inflated to boost the price on a cybercrime forum.

The data described goes well beyond a basic contact list. It may include names, license numbers, club affiliations, administrative history, match information, and disciplinary records, details that can fuel harassment, reputational damage, or targeted scams inside tight-knit local sports communities.

948 ID cards and nearly 1 million photos: why minors face the highest risk

The hacker claims to possess 948 identity cards and more than 1 million player photos. If even part of that involves minors, the stakes jump dramatically: a photo paired with a name, birthdate, club, and location can be used for identity fraud, and for more personal forms of exploitation that are far harder to undo once files circulate.

In youth sports, families routinely upload headshots and documents for registration, insurance, and medical or administrative forms. If scans of IDs end up in criminal marketplaces, common downstream crimes can include fraudulent account openings, attempted credit applications, or “buy now, pay later” abuse, followed by months of cleanup for victims trying to prove they weren’t the one behind the transactions.

The leak may also involve sensitive incident and insurance-related information tied to sports injuries, details about what happened, where, and under whose supervision. That kind of data isn’t just embarrassing; it can be used to craft highly believable social-engineering scams aimed at parents, coaches, or club officials.

France’s privacy watchdog is involved, and the federation may have to notify victims

The FFR says it has alerted French authorities, including the CNIL, France’s powerful data protection regulator, roughly comparable to a mix of the FTC’s consumer-protection role and state privacy enforcers in the U.S. The federation says it’s investigating how many people were affected and exactly what data was accessed.

Victim notification is a balancing act in breaches like this: warn too early and you risk spreading incomplete information; warn too late and you leave people exposed to targeted fraud. The practical approach is immediate guidance, don’t share credentials, scrutinize sender addresses, avoid clicking links in unexpected texts, followed by more detailed notices as the facts firm up.

One risk the reporting highlights is shared accounts at local clubs, generic emails and recycled passwords passed from one volunteer to the next. That makes it harder to trace what happened and easier for attackers to strike again.

Sports organizations are becoming repeat targets, and the FFR has been hit before

The FFR isn’t alone. Other French sports federations have been targeted in recent months, and the federation itself faced a similar scare in June 2023. The sector is attractive to attackers: lots of users, lots of volunteers, uneven tech systems, and predictable surges in activity during registration periods.

Security experts argue that phishing is less about technical wizardry than human behavior, and that organizations can reduce risk with basics that don’t require a bank-sized budget: unique passwords, multi-factor authentication for sensitive accounts, tighter permissioning, limits on database exports, and immediate shutdown of access when a volunteer’s role ends.

The immediate danger now is the “second wave” after a leak: targeted scams that use real names, real club roles, and believable context to trick people into wiring money, paying fake invoices, or handing over more credentials. If the data is out, the fallout can last for months.