Skip to content
Vulnerability exploitContained

Leak at I-Cad

I-Cad, France's national dog, cat and ferret identification registry, disclosed in March 2026 that a September 2025 software vulnerability had allowed automated querying of its database, exposing users' email addresses and fuelling phishing campaigns against pet owners.

Victim
I-Cad

On 23 March 2026, I-Cad — operated by Ingenium animalis, the operator of France's mandatory national identification file for dogs, cats and ferrets — issued a public notice to its users about a security incident. The disclosure was prompted by a wave of phishing messages in which pet owners received emails containing some of their own personal data, suggesting that information held by the registry had leaked.

I-Cad traced the issue back to September 2025, when its teams identified a software vulnerability that could have allowed certain records in the database to be queried in an automated fashion (mass scraping). The operator said the flaw was contained as soon as it was discovered and that technical measures were deployed to prevent any recurrence.

The data potentially exposed was limited to:

  • Email addresses

I-Cad reported the September 2025 incident to France's data protection authority, the CNIL, under Article 33 of the GDPR. At the time of disclosure the operator said it had found no confirmed fraudulent use of data originating from its systems, but warned that the recent phishing attempts indicated a residual risk of personal data being reused. It reminded users that legitimate emails only come from contact@i-cad.fr, contact.pro@i-cad.fr or noreply@i-cad.fr, and asked recipients of suspicious messages to report them to dpo@i-cad.fr.

Sources

  1. i-cad.frhttps://www.i-cad.fr/articles/communication-publique-usagers-incident-securite
  2. i-cad.frhttps://www.i-cad.fr/actualites/alerte-messages-fraduleux

Related incidents

Vulnerability exploitContained

Leak at Maeva

In May 2026, Maeva — the holiday-rental brand of Pierre & Vacances-Center Parcs — disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.

Victim
Maeva