Data leak at Sorbonne Université
In mid-2025, Sorbonne Université (Paris) suffered a breach of its HR/payroll system that exposed personal data of roughly 32,000 current and former staff, including contact details, identity information and family members' names.
- Victim
- Sorbonne Université
- records
- 32.0K
On 11 July 2025, leaked data tied to Sorbonne Université — one of France's largest public research universities, based in Paris — surfaced publicly, stemming from a cyberattack the institution first disclosed on 6 June 2025. Attackers exploited a vulnerability in the university's information system, reaching its HR and payroll management tools (SIRH).
The compromise affected roughly 32,000 current and former staff. The data tied to this disclosure centred on personal and professional contact and identity information, in some cases extending to family members.
Exposed data categories included:
- First and last names
- Personal and professional email addresses
- Phone numbers
- Postal addresses
- First and last names of spouses and children
Wider reporting on the same breach indicated that more sensitive payroll-related records — social security numbers, bank details (RIB/IBAN) and salary documents — were also among the data accessed via the HR system.
In line with the GDPR, Sorbonne Université reported the incident to France's data protection authority (CNIL) and to the national cybersecurity agency (ANSSI), set up a dedicated hotline and FAQ for affected staff, and worked with a cybersecurity firm to restore services and contain the incident.
Sources
- sorbonne-universite.frhttps://www.sorbonne-universite.fr/en/press-releases/information-cyberattack-sorbonne-university
- zataz.comhttps://www.zataz.com/fuite-massive-a-sorbonne-universite-donnees-bancaires-contrats-et-numeros-de-secu-dans-la-nature/
- usine-digitale.frhttps://www.usine-digitale.fr/article/sorbonne-universite-victime-d-une-cyberattaque-des-donnees-sensibles-compromises.N2234059
- idprotect.frhttps://idprotect.fr/sorbonne-victime-vol-donnees/