Skip to content
Supply chainContained

310,000 Carte Jeune beneficiaries: Région Occitanie data leak

In March 2026, France's Région Occitanie disclosed a breach of its Carte Jeune Région scheme after a technical service provider was compromised, exposing the personal data of about 310,000 young beneficiaries — including some 270,000 ID photos of minors — which the DumpSec group put up for sale on the dark web.

Victim
Occitanie regional council
records
310.0K

On 9 March 2026, the Région Occitanie — the French regional authority covering southern France from Toulouse to Montpellier — confirmed a data breach affecting its "Carte Jeune Région" scheme, a youth benefits card widely used by the region's high-school students. The regional council said it had learned of the security incident on 5 March 2026 from the technical service provider that operates the Carte Jeune information system.

The compromise stemmed from unauthorized access to the provider's infrastructure rather than the Region's own core systems, making it effectively a third-party / supply-chain breach. The threat actor group "DumpSec" subsequently advertised the stolen database — reported at roughly 41.7 GB and containing around 310,000 user records and some 270,000 individual photos — for sale on the dark web. A large share of the photos belong to minors, given the card's high-school user base.

Exposed data reportedly included:

  • Names and surnames
  • Dates of birth
  • Email addresses and phone numbers
  • Identity / portrait photographs (many of minors)
  • School and grade-level information, plus enrolment details

The Region stated that no banking data, passwords, or official identity documents were affected. In response, it reported the incident to France's data-protection authority (CNIL), filed a criminal complaint, and set up a dedicated hotline and email for affected users. Authorities warned beneficiaries to be alert to phishing and identity-fraud attempts using the leaked information.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-03-09-region-occitanie
  2. france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/occitanie/herault/montpellier/info-france-3-fuite-de-donnees-les-informations-personnelles-de-310-000-jeunes-mises-en-vente-sur-le-darkweb-suite-a-une-cyberattaque-contre-la-region-3313425.html
  3. idprotect.frhttps://idprotect.fr/carte-jeune-region-occitanie-cyberattaque-donnees/

Related incidents

Supply chainContained

Leak at Contrat d'intégration républicaine

France's OFII immigration agency notified signatories of the Contrat d'intégration républicaine that a January 2026 breach via a compromised subcontractor exposed the names, emails, phone numbers and postal addresses of roughly 2.1 million people.

Victim
Contrat d'intégration républicaine
Records
2.1M