Skip to content
Supply chainContained

Leak at ASAF & AFPS (via Itelis)

Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.

Victim
ASAF & AFPS

On 5 December 2025, ASAF & AFPS β€” a French member-based insurance association β€” notified members that their personal data had been exposed in a breach at Itelis, the optical-care network that processes optical reimbursement claims on the association's behalf. Because the data was held and processed by this third-party partner, the incident is a supply-chain compromise affecting ASAF & AFPS members rather than a breach of the insurer's own systems.

The unauthorised access was tied to the impersonation of a partner optician account, allowing the attacker to reach claim data without compromising policyholder credentials. The exposure was limited to optical-care claims processed between 2020 and the first quarter of 2022. Itelis also processes claims for other clients, including Axa and Malakoff Humanis, whose insured were affected as well.

Exposed data included:

  • Full name and date of birth
  • Social security number
  • Claim/file reference number
  • Optical reimbursement record
  • Vision-correction data
  • Phone number (in some cases)

Banking details, postal addresses, email addresses and passwords were reported as not affected. Itelis notified the CNIL, filed a complaint with the public prosecutor and activated a crisis team. ASAF & AFPS warned members to watch for phishing and fraud attempts leveraging the exposed information and offered personalised follow-up for any reported fraudulent activity. The exact number of affected individuals has not been publicly disclosed.

Sources

  1. acuite.frhttps://www.acuite.fr/actualite/ocam/323834/la-plateforme-de-soins-itelis-victime-dune-cyberattaque-concernant-des-donnees
  2. next.inkhttps://next.ink/brief_article/fuite-de-donnees-personnelles-chez-itelis-axa-nom-dossier-correction-numero-secu/
  3. ecura.frhttps://ecura.fr/2025/12/05/cyberattaque-chez-itelis-quelles-donnees-ont-reellement-fuite/cyber-securite/sauvegarde/

Related incidents

Supply chainContained

Leak at AG2R la Mondiale (via Itelis)

Disclosed in November 2025, a cyberattack on Itelis β€” the optical-care third-party network used by insurer AG2R la Mondiale β€” exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.

Victim
AG2R la Mondiale
Supply chainContained

Leak at La Nef

In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.

Victim
La Nef
Supply chainContained

Leak at MAIF & BPCE

A ransomware attack on French wealth-management software vendor Harvest (Run Some Wares group, detected 27 Feb 2025) exposed personal and financial data of customers of insurer MAIF and banking group BPCE (Banque Populaire / Caisse d'Γ‰pargne) in a supply-chain breach.

Victim
MAIF & BPCE
Supply chainContained

Leak at Direct Assurance

In March 2025, French direct insurer Direct Assurance (an AXA subsidiary) suffered a breach via its partner Run Assurance: attackers exploited a flaw in the data exchanges between the two firms to access customer personal data, raising identity-theft and phishing risks.

Victim
Direct Assurance