Skip to content
Supply chainContained

Leak at AG2R la Mondiale (via Itelis)

Disclosed in November 2025, a cyberattack on Itelis — the optical-care third-party network used by insurer AG2R la Mondiale — exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.

Victim
AG2R la Mondiale

On 25 November 2025, AG2R la Mondiale — one of France's largest social-protection and insurance groups — notified beneficiaries of a data breach originating not in its own systems but at Itelis, the optical-care partner network it relies on to connect opticians and process eye-care reimbursements. Itelis (part of the Axa healthcare-partner ecosystem) disclosed a cyberattack on 24 November 2025; AG2R la Mondiale began alerting affected members by email from 23 November.

The compromise reportedly stemmed from unauthorized access to the Itelis platform — early indications point to compromised employee credentials rather than a direct database breach. Because the exposed data flowed through a shared third-party processor, multiple insurers and mutuals beyond AG2R were affected. The records concerned optical coverage handled between 2020 and the first quarter of 2022.

Exposed data categories include:

  • Last name and first name
  • Date of birth
  • Social security number (NIR)
  • File / reimbursement records
  • Vision-correction data
  • Phone number (in some cases)

Bank details, postal and email addresses, and login credentials were reported as not affected. French press estimated up to 1.6 million beneficiaries across all client insurers could be concerned, though no figure specific to AG2R la Mondiale's portfolio was confirmed. AG2R la Mondiale notified the CNIL and filed a criminal complaint with the public prosecutor, and warned members to be vigilant against phishing attempts exploiting the leaked details.

Sources

  1. next.inkhttps://next.ink/brief_article/fuite-de-donnees-personnelles-chez-itelis-axa-nom-dossier-correction-numero-secu/
  2. clubic.comhttps://www.clubic.com/actualite-518218-un-nouveau-prestataire-de-sante-francais-touche-par-une-cyberattaque-visant-les-donnees-personnelles-des-assures.html
  3. stroople.comhttps://www.stroople.com/data-breach-observatory/data-breach-itelis-november-2025/

Related incidents

Supply chainContained

Leak at ASAF & AFPS (via Itelis)

Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.

Victim
ASAF & AFPS
Supply chainContained

Leak at La Nef

In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.

Victim
La Nef
Supply chainContained

Leak at MAIF & BPCE

A ransomware attack on French wealth-management software vendor Harvest (Run Some Wares group, detected 27 Feb 2025) exposed personal and financial data of customers of insurer MAIF and banking group BPCE (Banque Populaire / Caisse d'Épargne) in a supply-chain breach.

Victim
MAIF & BPCE
Supply chainContained

Leak at Direct Assurance

In March 2025, French direct insurer Direct Assurance (an AXA subsidiary) suffered a breach via its partner Run Assurance: attackers exploited a flaw in the data exchanges between the two firms to access customer personal data, raising identity-theft and phishing risks.

Victim
Direct Assurance