What Happened
In April 2026, France Titres (formerly ANTS), the French Agency for Secure Titles managing services like passports, ID cards, and driver’s licenses via ants.gouv.fr, detected a security incident on April 15 involving unauthorized access, which the Ministry of the Interior confirmed on April 20 as exposing data from 11.7 million user accounts. A 15-year-old hacker using the pseudonym “breach3d” exploited an IDOR vulnerability in the API, exfiltrating personal details including names, first names, dates of birth, email addresses, login IDs, unique account identifiers, and in some cases postal addresses, birthplaces, phone numbers, and professional data like SIREN numbers—but not passwords or uploaded documents. The hacker attempted to sell 18-19 million records on a cybercrime forum; he was arrested and placed under judicial supervision by late April. The government responded by allocating €200 million for cybersecurity upgrades, including vulnerability tests and post-quantum cryptography, amid admissions of roughly three daily state data thefts in 2026.


