Skip to content
Supply chainContained

Data leak at Synbird

In November 2025, Synbird — the SaaS provider handling municipal appointment bookings for around 1,300 French communes — disclosed a breach in which an attacker abused a weakly-secured PDF export to exfiltrate residents' contact details and appointment information.

Victim
Synbird

On 18 November 2025, Synbird — the SaaS platform that handles online appointment bookings (notably civil-registry and ID-document slots) for roughly 1,300 French municipalities — disclosed a data breach affecting residents across its town-hall clients. Because Synbird acts as a subcontractor to the communes, the incident cascaded into a supply-chain exposure touching local governments nationwide, including towns such as La Rochelle, Martigues and several in Brittany.

The intrusion took place between 24 and 26 October 2025 and was detected and blocked on 26 October. An attacker logged into a municipal agent's Synbird account — reportedly using credentials harvested from an earlier, unrelated leak — and then discovered that the appointment-list PDF export feature was less strictly secured than other data-access paths. Using it, the attacker generated and downloaded roughly fifty files per municipality, covering appointments created between 8 and 26 October 2025.

The exposed data was limited to information entered when booking an appointment:

  • First and last name
  • Email address
  • Phone number
  • Postal address
  • Appointment date, time, location and purpose

Synbird states that no passwords, identity-document images or financial data were compromised. The company notified the CNIL and ANSSI on 27 October 2025, patched the export vulnerability, and rolled out additional controls including request rate-limiting, IP filtering and two-factor authentication, with an ANSSI-qualified audit planned for early 2026. No fraudulent use of the data had been detected at the time of disclosure.

Sources

  1. france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/bretagne/finistere/quimper/vol-massif-de-donnees-en-bretagne-au-moins-cinq-communes-touchees-l-enquete-s-accelere-voici-ce-que-l-on-sait-3252205.html
  2. synbird.comhttps://www.synbird.com/fr/faq-protection-des-donnees/
  3. banquedesterritoires.frhttps://www.banquedesterritoires.fr/fuite-de-donnees-dans-1300-communes-les-prestataires-en-cause

Related incidents

Supply chainContained

Leak at La Rochelle (via Synbird)

Personal data of 394 La Rochelle residents who booked civil-status appointments was exposed after an attacker exploited a flaw in Synbird, the town hall's third-party appointment-scheduling provider, which serves roughly 1,300 French communes.

Victim
La Rochelle
Records
394
Supply chainContained

Leak at Quimper town hall (via RDV360)

In November 2025, the city of Quimper (France) was caught in a supply-chain breach of appointment-booking provider RDV360, exposing roughly 12,000 contact records (name, postal code, email, phone) of residents who booked ID-card or passport renewals since April 2024.

Victim
Quimper town hall
Records
12.0K