Leak at the Civil Aviation Safety Organisation
In February 2026 the LAPSUS$ extortion group claimed the theft of about 420 GB of data from France's Civil Aviation Safety Organisation (OSAC), including ID cards, passports, diplomas, proof-of-address documents and internal files; the data was later leaked in full.
- Victim
- Civil Aviation Safety Organisation
On 24 February 2026, OSAC (Organisme pour la Sécurité de l'Aviation Civile) — France's delegated civil aviation safety and certification body, which inspects and certifies aircraft, equipment and personnel — was named as the victim of a large data-theft and extortion operation. The LAPSUS$ group announced via Telegram that it had compromised OSAC and exfiltrated roughly 420 GB of data, and after negotiations failed it released the full trove publicly.
The attackers published samples and then the complete dataset, which reportedly mixed personal records of individuals (applicants, certified personnel, staff) with sensitive operational and corporate documents. Files were said to reference major aerospace and defence players including Thales, Dassault Systèmes, Airbus, Boeing, the U.S. FAA and the French military, raising concern about the sensitivity of the leak well beyond ordinary personal data.
Exposed data reportedly included:
- National ID cards and passports
- Academic diplomas and certifications
- Proof-of-address documents
- User/email lists
- Internal manuals, procedures and operational documents
OSAC acknowledged the incident and put its website into maintenance, but its public communication sought to downplay the impact, framing the exposed material mainly as manuals, procedures and limited personal data. The claims of OSAC, Airbus, Dassault, Thales and the other named entities have not been independently confirmed in full, and with the data already circulating, affected individuals face heightened risks of phishing, identity theft, document fraud and social engineering. As of disclosure the situation was unresolved.
Sources
- frenchbreaches.comhttps://frenchbreaches.com/blog/lorganisme-de-securite-de-laviation-civile-osac-vise-par-une-fuite-revendiquee
- enderi.frhttps://enderi.fr/cyberattaque-revendiquee-contre-losac-quels-enjeux-pour-la-securite-aerienne-et-la-defense/
- redpacketsecurity.comhttps://www.redpacketsecurity.com/lapsus-ransomware-victim-osac-aero/