Skip to content
Supply chainContained

Leak at Sports and Cultural Federation of France

The Sports and Cultural Federation of France (FSCF) had the personal data of roughly 1.33 million members exposed after a third-party licence-management provider was compromised, leaking names, dates of birth, postal addresses, contact details and licence/membership records.

Victim
Sports and Cultural Federation of France
records
1.3M

On 26 February 2026, the Sports and Cultural Federation of France (Fédération Sportive et Culturelle de France, FSCF) — one of France's oldest multi-sport and cultural federations — was confirmed as a victim of a wide-ranging breach of French sports federations, with the personal data of roughly 1,334,442 members exposed.

The incident did not stem from a direct compromise of FSCF's own systems. Instead, attackers exploited a vulnerability at a shared third-party IT provider responsible for the licence-management and administrative platforms used by numerous French federations. A compromised account was used to extract member databases, which were then offered for sale on the cybercrime marketplace BreachForums by an actor using the alias "TheFrenchGuy" and later re-circulated on dark-web channels.

Exposed data categories included:

  • Title, first name, last name and gender
  • Date of birth, nationality and country of birth
  • Postal address and contact details (email, phone)
  • Licence number and member code
  • Sports discipline and affiliated structure

The FSCF leak was part of a broader campaign affecting more than thirty French sports federations, totalling over 4.5 million stolen records. The federation reported the incident and notified the French data protection authority (CNIL); no banking data was reported as compromised. Because the breach originated with an external provider, exposed members faced an elevated risk of phishing and identity-fraud campaigns. The CNIL subsequently opened a wave of oversight of the affected federations in 2026.

Sources

  1. zataz.comhttps://www.zataz.com/piratage-massif-des-federations-sportives-francaises-45-millions-de-donnees-vendues/
  2. idprotect.frhttps://idprotect.fr/1-sur-4-licencie-sportif-france-donnees-volees/
  3. leto.legalhttps://www.leto.legal/news/cnil-controles-federations-sportives-rgpd-2026

Related incidents

Supply chainContained

Leak at La Mine Bleue (via Vivaticket)

On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data — names, postal code/country, email and purchase history — was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.

Victim
La Mine Bleue