Skip to content
Supply chainContained

Leak at Alfortville town hall (via RDV360)

On 19 Nov 2025, Alfortville town hall notified residents that their contact details were exposed in a breach of its appointment-booking provider RDV360, part of a supply-chain attack hitting ~1,300 French municipalities and ~14M records.

Victim
Alfortville town hall

On 19 November 2025, Alfortville town hall — a municipality in the Val-de-Marne, near Paris — began notifying residents that their personal data had been exposed in a breach not of its own systems but of RDV360, the third-party platform it used for booking administrative appointments (identity cards, passports, and similar services).

The incident was a supply-chain compromise. Attackers reportedly used a municipal employee's login credentials — harvested in an unrelated earlier breach — to access a RDV360 client account, then exploited a flaw in the platform's appointment-and-reservation module that allowed unauthorised bulk export of records. The campaign, active around September–October 2025, struck roughly 1,300 French municipalities through RDV360 and a second provider, SynBird, exposing on the order of 14 million records spanning appointments from 2021 to November 2025. A group calling itself "dumpsec" was linked to the operation.

Data exposed for affected residents was limited to:

  • First and last name
  • Email address
  • Phone number
  • Postal address

RDV360 stated that no sensitive data, identity documents, financial information, or passwords were taken. The provider said it had patched the vulnerability, notified France's data-protection authority (CNIL), and filed a criminal complaint; affected towns including Alfortville issued vigilance warnings to residents about possible phishing.

Sources

  1. lagazettedescommunes.comhttps://www.lagazettedescommunes.com/1013192/cybersecurite-cyberattaque-plateformes-de-reservation-ces-collectivites-victimes-de-la-defaillance-de-leurs-fournisseurs/
  2. next.inkhttps://next.ink/211076/des-fuites-de-donnees-non-sensibles-dans-1-300-mairies-les-intermediaires-cibles/
  3. banquedesterritoires.frhttps://www.banquedesterritoires.fr/fuite-de-donnees-dans-1300-communes-les-prestataires-en-cause

Related incidents