Skip to content
RansomwareOngoing

Leak at La Centrale du Financement

A threat actor exfiltrated around 387 GB of data (some 411,000 files) from French mortgage and credit broker La Centrale de Financement, exposing highly sensitive customer KYC documents, financial records and internal files, then offered the dataset for sale after failed extortion negotiations.

Victim
La Centrale du Financement

On 28 November 2025, La Centrale de Financement — one of France's largest mortgage and credit brokers — was hit by a major data breach after a threat actor exfiltrated data from its corporate network. As a broker, the company sits between borrowers and major French banks and routinely collects the most sensitive financial documents an individual holds, making the exposed data especially damaging.

The attacker claimed to have stolen roughly 387 GB of data spread across about 411,000 files. Samples reviewed by security monitors were assessed as highly credible. According to the threat actor, negotiations with the company were attempted and failed, after which the dataset was put up for sale on a criminal forum for around $25,000 — a pattern consistent with a double-extortion scheme.

Exposed data categories reportedly included:

  • Identity / KYC documents (passport scans, national ID cards, family record books)
  • Financial proofs (bank statements, pay slips, tax returns)
  • Loan and financing files, transaction records and partner financing agreements
  • Notarial acts, insurance and legal documents, and electronic signatures
  • Internal company data including emails and accounting records

The breach was first surfaced in late November 2025 and was being publicly tracked by December 2025 as the stolen data was marketed online. The number of distinct customers affected was not officially quantified, and the incident remained ongoing as the dataset circulated.

Sources

  1. zataz.comhttps://www.zataz.com/un-courtier-du-credit-cible-par-un-pirate/
  2. brinztech.comhttps://www.brinztech.com/breach-alerts/brinztech-alert-alleged-database-of-la-centrale-de-financement-france-is-on-sale-387-gb/
  3. bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#La%20Centrale%20du%20Financement-2025-11-28

Related incidents

RansomwareOngoing

Leak at Harvest

Harvest, a French wealth-management software editor, was hit by a Run Some Wares ransomware double-extortion attack disclosed in April 2025; internal and client files were exfiltrated and published, reportedly exposing data on tens of thousands of individuals and thousands of companies.

Victim
Harvest
RansomwareContained

Leak at Commune de Lens

In late December 2025, the town hall of Lens (Pas-de-Calais, France) disclosed an intrusion into its information system that paralysed municipal services for about a week, blocking staff software and telephone lines; the attack vector was undisclosed and data theft was not confirmed.

Victim
Commune de Lens
RansomwareOngoing

Leak at Michelin

In November 2025, the Cl0p extortion gang listed French tyre maker Michelin on its leak site, claiming to have stolen internal manufacturing, engineering, supply-chain, financial and HR files via the Oracle E-Business Suite zero-day (CVE-2025-61882).

Victim
Michelin