Skip to content
Supply chainContained

Data leak at CAF (RSA) - unspecified volume

In late February 2026, France's family-allowance fund CAF disclosed that around 70,000 RSA welfare recipients' dossiers were exposed after the HubEE inter-agency document platform was breached, leaking names, social-security numbers and contact details.

Victim
CAF (RSA)
records
70.0K

On 25 February 2026, CAF (Caisse d'allocations familiales) — France's national family-allowance fund — notified beneficiaries of the RSA welfare scheme that their personal data had been exposed in a breach. The compromise did not originate in CAF's own systems but in HubEE, the inter-agency document-exchange platform operated by the state digital directorate DINUM, which CAF uses to transmit RSA case files to departmental councils.

The intrusion into HubEE was detected on 9 January 2026, and DINUM issued an alert on 16 January. Roughly 70,000 RSA dossiers, representing about 160,000 documents, were affected before CAF began notifying recipients individually in late February in line with its GDPR obligations.

The exposed data included:

  • Names and surnames
  • Social-security numbers
  • Allocatee (beneficiary) registration numbers
  • Email addresses and phone numbers
  • RSA application and benefit-eligibility dates

CAF and DINUM confirmed that no bank-account details or CAF.fr account passwords were compromised, and that the incident had no impact on RSA entitlements or payment dates. Officials warned affected recipients to expect a surge in targeted phishing, fraudulent calls and identity-theft attempts using the leaked information.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-25-caf-rsa
  2. lemondeinformatique.frhttps://www.lemondeinformatique.fr/actualites/lire-des-donnees-des-beneficiaires-du-rsa-compromises-99465.html
  3. generation-nt.comhttps://www.generation-nt.com/actualites/fuite-donnees-rsa-caf-dinum-hubee-2071487

Related incidents