France is getting hammered by a surge of data breaches so large it’s warping the country’s sense of what “normal” looks like. In January 2026 alone, more than90 million accountstied to people in France were reported compromised, an eye-popping figure in a nation of about 68 million residents, and a sign that the same individuals are being swept up again and again across multiple leaks.
The fallout isn’t abstract. Once personal data hits underground forums, it quickly turns into real-world fraud: phishing texts that mimic government agencies, fake “customer support” calls, account takeovers, and identity scams built from stitched-together details. And in 2026, the targets aren’t just retailers, health systems and even security-related databases are getting pulled into the blast radius.
January’s breach pace: a new leak about every two days
Sommaire
- 1 January’s breach pace: a new leak about every two days
- 2 Health data takes the hardest hit: up to 35 million people exposed
- 3 Security-related databases: police and gun-owner data raise physical safety fears
- 4 E-commerce and delivery leaks expose “everyday life” data scammers love
- 5 France’s privacy watchdog logged 6,167 breaches in 2025, and the trend is accelerating
- 6 Key Takeaways
- 7 Frequently Asked Questions
- 8 Sources
The most jarring signal came right at the start of the year: January saw a reported breach cadence of roughlyone new incident every two days. That kind of tempo makes coordinated response difficult, by the time one organization notifies users, another dataset may already be circulating.
The victims span public agencies and private companies, underscoring a basic reality of modern cybercrime: attackers often go for the easiest door with the biggest payoff, not the most prestigious name. Publicly cited cases in the period includedURSSAF(France’s payroll-tax and social-contribution collection system, roughly analogous to a mix of IRS-style collection and Social Security administration functions), sports federations, and brands such as O’Tacos, Panorama Banques, Waltio, ENI, and Ledger.
The exposed information is rarely harmless: names, emails, home addresses, phone numbers, and in some cases identity documents or photos. A French cybersecurity consultant quoted in the report put it bluntly: with an email address and a phone number, a scammer can simply “pick the right script.”
One key caveat: “90 million accounts” doesn’t mean 90 million unique people. It can mean the same person appears in multiple leaks, sometimes with different pieces of information, making it easier for criminals to build detailed profiles and run more convincing cons.
Health data takes the hardest hit: up to 35 million people exposed
Health-related breaches are among the most alarming in 2026 because the data can be exploited for years. Leaks tied to regional health systems and hospitals reportedly exposed information connected to as many as35 millionpeople in France, one of the largest health-data exposures the country has ever seen.
Even when a breach doesn’t include full medical charts, administrative details can still reveal sensitive information, or help scammers convincingly impersonate insurers, clinics, or government health programs. That’s why health data is prime material for reimbursement fraud, extortion attempts, and highly targeted phishing.
Another major case involvedCegedim, a French health-tech and services company. The report describes a February incident that may have affected up to15 millionpeople. The danger goes beyond stolen emails: health-related context makes scams feel legitimate because the institutions and language are familiar to nearly everyone.
Hospital IT teams, according to an anonymous official cited in the article, often can’t simply “shut things down” the way a retailer might. Care has to continue, even as staff isolate systems, reset access, and investigate, creating a brutal tension between staying open and locking down.
When breaches hit security-linked systems, the risk isn’t just financial, it can become personal. In 2026, data associated with France’sNational Policereportedly affected176,000 officers. Another leak tied to theSIA, France’s gun information system, reportedly exposed data on62,000 gun owners, including addresses.
That combination, names, roles, and home locations, can enable targeted harassment, intimidation, or worse. And for gun owners, an address can become a roadmap for burglars looking for firearms.
The incidents also put pressure on the French government’s credibility.Marie-Laure Denis, head of France’s privacy watchdogCNIL(the country’s counterpart to a national data-protection authority, similar in spirit to a beefed-up FTC privacy role), has warned that the state carries a “special responsibility” when it comes to protecting citizens’ data.
But the public response can feel fragmented: each agency handles its own notifications and remediation, leaving citizens to sort through inconsistent, sometimes late, and often vague alerts, while criminals reuse and recombine data at industrial scale.
E-commerce and delivery leaks expose “everyday life” data scammers love
Breaches in e-commerce and logistics can be especially exploitable because they map onto daily routines, deliveries, purchases, customer-service chats. Early January, French flower delivery serviceFlorajetreported access to more than1 millionPDF order forms from 2023 to 2026, including names, addresses, phone numbers, and even personal messages attached to bouquets.
Those messages can add intimate context, relationships, life events, moments of vulnerability, that scammers can weaponize for social engineering.
Another case involvedMondial Relay, a major parcel pickup and delivery network in France (think a mix of UPS Access Point-style lockers and neighborhood drop-off counters). The company said a hacker accessed its tracking platform, and a criminal group claimed roughly5 milliondata points from 300,000 files, alleging it maintained access from earlier attacks. That’s the nightmare scenario: not a one-time breach, but a persistent foothold that enables repeated extractions.
Later in January, online home-improvement retailerManoManofaced a leak traced to a customer-service subcontractor after an agent account was compromised. Even without passwords or payment cards, support conversations can be gold for criminals, real ticket references, authentic tone, and enough detail to trick customers into clicking a malicious link.
The report’s bottom line: “No credit cards were stolen” is no longer reassuring. Addresses, phone numbers, delivery history, and support interactions are often enough to fuel package-delivery scams, fake refunds, and identity fraud.
France’s privacy watchdog logged 6,167 breaches in 2025, and the trend is accelerating
The January 2026 spike didn’t come out of nowhere. CNIL says it was notified of6,167data breaches in 2025, up10%from the year before, with about half tied to hacking. Over the last two calendar years, roughly80breaches reportedly affected at least1 millionpeople each.
A major driver is data centralization, large shared platforms, often run by third-party vendors. It’s efficient and cheaper, but it creates high-value choke points. When breaches pile up, security teams end up triaging: patching, notifying, and containing, while attackers exploit delays and inconsistent messaging.
The cybercriminal ecosystem has also changed. The report describes a mix of younger actors chasing notoriety and more organized groups that specialize in monetizing stolen data. That blend makes the threat unpredictable: one week it’s opportunistic intrusion, the next it’s a methodical operation designed for resale and long-term exploitation.
Basic advice still matters, unique passwords, two-factor authentication, skepticism toward unexpected messages. But the scale described here points to a bigger problem: individuals can reduce harm, but they can’t fix the underlying security failures. When tens of millions of accounts are exposed, the real test is whether institutions and their vendors can harden systems, detect intrusions early, and respond fast, before stolen databases spread beyond control.
Key Takeaways
- January 2026 accounts for more than 90 million affected accounts in France.
- The healthcare sector hits a record high, with up to 35 million people exposed.
- Databases related to security, law enforcement, and firearms increase the risk of physical targeting.
- Logistics and e-commerce expose highly usable data for phishing.
- The rise in reports to the CNIL confirms the industrialization of data leaks.
Frequently Asked Questions
Why is a leak still dangerous even without passwords or credit card numbers?
Because contact details, addresses, phone numbers, and communication history are enough to run convincing scams, steal someone’s identity, or bypass checks through social engineering. Scammers often combine multiple leaks to build richer profiles and increase their success rate.
What makes health data leaks more serious than others?
Health-related data can reveal highly personal information or be inferred from administrative details. Most importantly, it can’t be “changed” like a password. So an exposure can have consequences for years through blackmail, targeted phishing, or insurance reimbursement fraud.
Why do we see cascading incidents at vendors and subcontractors?
Many organizations outsource customer support, hosting, or technical components. That consolidation concentrates data and increases the number of entry points. A compromised support agent account or a misconfiguration can then expose large volumes, even if the end company wasn’t directly breached.
Do figures like “90 million accounts” mean 90 million people?
Not necessarily. The same person can show up in multiple databases with different information. In fact, that can increase the risk, because cross-referencing helps build more complete profiles that are useful for targeted attacks and identity theft.
Sources
- La France championne des fuites de données en 2026 face à toute l’Europe – Blog FrenchBreaches
- FUITE DE DONNÉES : L'ÉTAT MET LES FRANÇAIS EN DANGER !
- Fuites de données : face au tsunami, des Français vulnérables et des autorités impuissantes
- Liste des organisations victimes d'une cyberattaque en 2026
- Cyberattaques en France : les dernières fuites de données et entreprises touchées



