Skip to content
Data breachContained

Leak at the French Ministry of Sports

On 19 December 2025 France's Ministry of Sports confirmed a breach of a system tied to the Pass'Sport aid scheme, exposing data on about 3.5 million households — names, dates of birth, contact details, social security, INE and CAF numbers — published on a criminal forum.

Victim
French Ministry of Sports

On 19 December 2025, the French Ministry of Sports, Youth and Associative Life — the government department running the Pass'Sport youth-activity subsidy — confirmed that data had been exfiltrated from one of its information systems, affecting roughly 3.5 million households. A file of around 22 million lines was offered on a criminal forum, where a threat actor presented it as retaliation against the French state.

The exposed records came from the Pass'Sport program rather than from the CAF family-allowance fund, which officials explicitly ruled out as the source despite early rumors. Analysts pointed to an insecure-access flaw on the partner portal aggregating beneficiary data as the likely entry point. The leaked sample combined identity, contact and benefit-administration fields, including highly sensitive national identifiers.

Data categories reported as exposed:

  • First and last name, date of birth, gender
  • Email address, postal address, phone number
  • Category of aid received and organization code
  • Social security number, INE (student) number, CAF number
  • Pass'Sport voucher code

The ministry said it had mobilized technical teams to scope the incident and halt further leakage, filed a complaint with the authorities, and notified France's data-protection regulator (CNIL) within the required 72 hours. It also announced a plan to contact the 3.5 million affected households with security guidance, and observers warned of likely follow-on phishing and social-engineering attempts.

Sources

  1. lindependant.frhttps://www.lindependant.fr/2025/12/19/nouvelle-cyberattaque-des-services-de-letat-35-millions-de-foyers-concernes-par-une-fuite-de-donnees-au-ministere-des-sports-13121276.php
  2. lemondeinformatique.frhttps://www.lemondeinformatique.fr/actualites/lire-pirate-le-ministere-des-sports-alerte-sur-un-vol-de-donnees-98871.html
  3. next.inkhttps://next.ink/brief_article/le-ministere-des-sports-confirme-une-fuite-de-donnees-concernant-35-millions-de-foyers/
  4. franceinfo.frhttps://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/le-ministere-des-sports-victime-d-une-cyberattaque-3-5-millions-de-foyers-concernes_7690192.html

Related incidents

Data breachUnknown

Leak at justice.fr

On 22 December 2025 a database attributed to the French justice system (justice.fr) recirculated online, exposing personal, professional and banking data — including IBAN/BIC — of 1,100+ magistrates, judges, lawyers and judicial staff.

Victim
justice.fr
Data breachContained

Leak at the French Ministry of the Interior

In December 2025, attackers compromised professional email accounts at France's Ministry of the Interior and accessed sensitive police files including the TAJ criminal-records and FPR wanted-persons databases; the ministry confirmed a few dozen files were exfiltrated while attackers claimed data on 16.4 million people.

Victim
French Ministry of the Interior