Leak at France Éducation International (via GAEL)
A January 2026 cyberattack on France Éducation International's GAEL platform exposed civil-identity data of roughly 5.8 million DELF-DALF exam candidates and diploma holders since 2005, after attackers used compromised external user credentials.
- Victim
- France Éducation International
- records
- 5.8M
On 20 January 2026, France Éducation International — the French public operator that manages the DELF and DALF French-language diplomas — disclosed a cyberattack on its GAEL platform, the system used to administer those diplomas. The intrusion took place between 9 and 12 January 2026 and was contained when access to the platform was suspended for investigation.
According to the operator's initial analysis, the attacker logged in using valid usernames and passwords obtained from the compromise of several external user accounts, rather than exploiting a software vulnerability. Using this legitimate access, they extracted the civil-identity records of roughly 5.8 million candidates and diploma holders who had sat the exams since 2005.
The exposed data was limited to civil-status fields:
- Surname and first name
- City and country of birth
- Date of birth
- Nationality
- Native language
- Affiliated (registration) exam centre
France Éducation International stated that no postal addresses, email addresses, phone numbers or financial information were affected. The organisation suspended the platform, notified the CNIL and ANSSI, filed a police complaint, and strengthened access controls (including planned multi-factor authentication) before restoring the GAEL platform to service on 26 January 2026.
Sources
- france-education-international.frhttps://www.france-education-international.fr/actualites/incident-sur-la-plateforme-gael-diplomes-delf-dalf
- france-education-international.frhttps://www.france-education-international.fr/faq/faq-incident-gael
- dpo-partage.frhttps://www.dpo-partage.fr/cyberattaque-gael-education-nationale-donnees-personnelles/