Leak at MDPH 92
In early March 2026, MDPH 92 — the Hauts-de-Seine disability services agency — accidentally exposed around 500 beneficiaries' email addresses by sending a mass post-cyberattack notice with recipients in CC instead of BCC.
- Victim
- MDPH 92
- records
- 500
On 2 March 2026, the MDPH 92 — the Maison Départementale des Personnes Handicapées (departmental disability rights agency) for Hauts-de-Seine — accidentally exposed roughly 500 of its beneficiaries' email addresses in a single mass mailing.
While trying to inform users that its services were resuming after the major ransomware-style cyberattack that had paralysed the Hauts-de-Seine department in May 2025, the agency sent a collective email with all recipients placed in the visible "CC" field rather than the blind "BCC" field. As a result, every recipient could see the full list of the other addressees.
- Email addresses of approximately 500 MDPH beneficiaries
The leak was the result of human error rather than a malicious intrusion, but it is sensitive because it discloses a list of people in contact with a disability services agency — a vulnerable population. Observers warned of a heightened risk of spam and targeted phishing exploiting the recipients' known relationship with the MDPH. The incident is a one-off disclosure that has already occurred; coverage emphasised the need for better procedures and staff awareness rather than blaming the individual who sent the message.
Sources
- lesmotsontunsens.comhttps://www.lesmotsontunsens.com/mdph-92-le-mail-post-cyberattaque-qui-lache-500-adresses-email-en-clair/
- zataz.comhttps://www.zataz.com/parents-en-detresse-apres-la-cyberattaque-de-la-mdph-92/