Skip to content
Supply chainContained

Leak at La Nef

In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.

Victim
La Nef

On 25 September 2025, La Nef β€” a French ethical cooperative bank with roughly 50,000 members and 90,000 clients β€” alerted shareholders to a data leak exposing their email addresses. The incident, confirmed on 9 September 2025 thanks partly to the vigilance of members, did not originate from La Nef's own systems.

The exposure stemmed from a third-party provider, SLIB, which operates the "Agathe" online-voting platform that La Nef had used for two years to enable remote voting at its general assembly. One of SLIB's email-statistics tools was hit by a cyberattack, and the tool still held shareholder email addresses even after La Nef had discontinued the service.

Exposed data was limited to:

  • Email addresses (used for general-assembly convocations)

La Nef stressed that banking details, identification documents and passwords were not affected. The bank notified the French data-protection authority (CNIL) and demanded a full audit of SLIB. Coverage noted a slow response in one case, with a member who flagged a problem on 8 August reportedly waiting 47 days for a reply.

Sources

  1. next.inkhttps://next.ink/201451/la-banque-cooperative-la-nef-alerte-ses-clients-au-sujet-dune-fuite-dadresses-email/

Related incidents

Supply chainContained

Leak at ASAF & AFPS (via Itelis)

Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.

Victim
ASAF & AFPS
Supply chainContained

Leak at AG2R la Mondiale (via Itelis)

Disclosed in November 2025, a cyberattack on Itelis β€” the optical-care third-party network used by insurer AG2R la Mondiale β€” exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.

Victim
AG2R la Mondiale
Supply chainContained

Leak at MAIF & BPCE

A ransomware attack on French wealth-management software vendor Harvest (Run Some Wares group, detected 27 Feb 2025) exposed personal and financial data of customers of insurer MAIF and banking group BPCE (Banque Populaire / Caisse d'Γ‰pargne) in a supply-chain breach.

Victim
MAIF & BPCE
Supply chainContained

Leak at Direct Assurance

In March 2025, French direct insurer Direct Assurance (an AXA subsidiary) suffered a breach via its partner Run Assurance: attackers exploited a flaw in the data exchanges between the two firms to access customer personal data, raising identity-theft and phishing risks.

Victim
Direct Assurance