French ID Agency Says Hackers Stole Citizens’ Personal Data

Hackers pulled names, login IDs and other identity records from France Titres, the agency that issues passports, national ID cards and driver’s licenses, turning a breach of a government identity system into something more dangerous than a routine corporate hack.

France Titres, formerly known as the Agence nationale des titres sécurisés, said the security incident was detected on April 15 and involved disclosure of data from personal and professional accounts on its ants.gouv.fr portal. Officials said the exposed information may include login IDs, names, email addresses, dates of birth, unique account identifiers, and in some cases postal addresses, places of birth and telephone numbers. Uploaded attachments were not compromised, and the agency said the stolen data did not allow unauthorized access to portal accounts.

That distinction matters. A breach at a private company can expose a payment card or a password. A breach at an agency that manages identity documents can hand criminals a toolkit for impersonation, social engineering and long-term fraud. Even without direct account access, identity details from passport and national ID systems can be used to make phishing messages look credible, push victims into revealing more sensitive information, or open the door to scams that target families, workers and older adults with official-looking urgency.

France Titres said it notified affected individuals and warned people to be especially alert to phishing by SMS, phone and email from impostors posing as the agency. The agency also reported the incident to CNIL, France’s data protection authority, to the Paris public prosecutor for a criminal investigation and to ANSSI, the national cybersecurity agency, while adding security measures to keep the portal operating.

The breach lands after a wave of claims circulating online. France Titres had previously rejected a dark-web listing that said a database of 12 million to 13 million records had been stolen, saying no intrusion had been identified and that the sample data did not match ANTS formats. In the latest episode, criminal actors are claiming possession of 18 million to 19 million records, but French authorities have not confirmed that figure.

For readers in the United States, the lesson is familiar. Government-held personal data is not just another database; it is a map of identity. When that map leaks, the damage can extend well beyond one portal, because thieves can use the details to impersonate agencies, bypass trust and pressure people into acting fast. The next warning signs are the same ones France Titres flagged: unsolicited calls, text messages and emails that sound official, ask for verification, or try to draw people back into a fake identity workflow.