What Happened
In late February to March 2026, French construction giant Eiffage (eiffage.com) suffered a significant data breach, with an alleged database leak first identified on the dark web around February 28, containing approximately 50,000 rows of sensitive data including plaintext or hashed admin/user emails and passwords, employee PII such as full names and professional contacts, and internal technical configuration/project metadata, likely from a SQL injection vulnerability. The incident escalated when the Lapsus$ ransomware group claimed responsibility around March 1, publicly listing Eiffage as a victim and reportedly exposing around 333,000 records of personal information, amid a broader wave of cyber activity targeting French industrial sectors. This posed risks like admin hijacking, supply chain sabotage via business email compromise, lateral network movement, and industrial espionage, though Eiffage’s official statement noted no detected impact on their IT systems at the time.
