Skip to content
Data breachOngoing

Claimed leak at OSAC (Civil Aviation) - Ransomware - see details

On 20 February 2026 the LAPSUS$ extortion group claimed to have stolen about 420 GB of data from France's civil-aviation safety body OSAC, including ID documents, passports and internal files; the full dataset was later published online.

Victim
OSAC (Civil Aviation)

On 20 February 2026, OSAC β€” the Organisme pour la SΓ©curitΓ© de l'Aviation Civile, France's delegated body for civil-aviation safety oversight and airworthiness certification β€” was named by the LAPSUS$ extortion group, which announced via Telegram that it had breached the organisation and exfiltrated roughly 420 GB of data.

LAPSUS$ is known for social-engineering, stolen-credential and compromised-account intrusions rather than file-encrypting ransomware, and this case followed the same data-theft-and-extortion pattern. After the initial claim, the group published the complete 420 GB dataset online in retaliation, making the stolen material openly available rather than merely offering it for sale.

According to the threat actor's claims, the exposed data spanned highly sensitive personal and corporate material:

  • Identity documents (national ID cards, passports)
  • Diplomas and proof-of-residence documents
  • User and email lists
  • Internal documents referencing Airbus, Dassault, Thales, Boeing, the U.S. FAA and the French Army

OSAC acknowledged the incident, put its website into maintenance, and emailed users a reassuring message that largely downplayed the impact, describing the affected material as mainly manuals, procedures and "personal data." As of reporting, no full independent confirmation of the dataset's contents had been issued by OSAC or French authorities, and the leaked data β€” which exposes affected individuals to identity theft, document fraud, targeted phishing and social-engineering risk β€” remained in circulation.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-20-osac-aviation-civile
  2. frenchbreaches.comhttps://frenchbreaches.com/blog/lorganisme-de-securite-de-laviation-civile-osac-vise-par-une-fuite-revendiquee
  3. enderi.frhttps://enderi.fr/cyberattaque-revendiquee-contre-losac-quels-enjeux-pour-la-securite-aerienne-et-la-defense/
  4. redpacketsecurity.comhttps://www.redpacketsecurity.com/lapsus-ransomware-victim-osac-aero/

Related incidents

Data breachOngoing

Leak at Interrail

A December 2025 cyberattack on Eurail B.V., operator of the Interrail and Eurail rail passes, exposed personal data of roughly 308,000 travellers β€” including names, contact details, dates of birth and passport numbers β€” which by 2026 was being sold on the dark web.

Victim
Interrail
Records
308.8K