12 million people exposed in French national ID agency data breach
What happened
On April 15, 2026, France's National Agency for Secure Documents (Agence nationale des titres sécurisés, ANTS) detected a security incident on its ants.gouv.fr portal. An attacker breached the system and exfiltrated personal data from an estimated 11.7 million user accounts — both individual and professional.
ANTS is a critical government agency responsible for issuing national ID cards, passports, driving licenses, and residence permits across France.
The incident was publicly confirmed on April 22 after a threat actor operating under the aliases "breach3d" and "ExtaseHunters" appeared on criminal forums offering the stolen data for sale.
What data was exposed
The French Ministry of Interior confirmed the exposure of:
- Full name
- Email address
- Date and place of birth
- Login identifier
- Unique ANTS account identifier
- Phone number (for some accounts)
- Postal address (for some accounts)
Passwords and biometric data are not believed to have been compromised.
Root cause: a trivial IDOR vulnerability
This was not a sophisticated operation. The attacker exploited an IDOR (Insecure Direct Object Reference) vulnerability in the portal's API — simply modifying a numeric parameter in a request returned another user's data. No authorization checks, no access verification.
This is one of the most basic security flaws, a staple of the OWASP Top 10 that any security audit should catch.
Official response
- CNIL (France's data protection authority) was notified under GDPR Article 33 — mandatory breach notification within 72 hours.
- The Paris Public Prosecutor received a criminal referral.
- ANSSI (France's national cybersecurity agency) was called in to investigate.
- ANTS warned the public about potential phishing and vishing attacks exploiting the leaked data.
- Some portal services (including passport issuance) were temporarily restricted.
Why this matters for every organization
1. Basic security failures have catastrophic consequences
An IDOR vulnerability is trivial — yet it led to the exposure of 12 million people's data. Sophisticated attacks are not needed when fundamentals fail.
2. GDPR applies to everyone — including government agencies
CNIL can investigate state institutions. Notification obligations, data minimization, and technical safeguards apply without exception.
3. Leaked data fuels further attacks
Name, date of birth, email, and phone number — that is a complete kit for targeted phishing, vishing, or fraudulent document applications. The consequences of a breach compound over time.
What this means for consent management
Every organization that collects personal data — including cookie consents — bears responsibility for protecting it. The ANTS incident is a reminder:
- Collect only what you need — the data minimization principle (GDPR Art. 5) reduces the impact of any breach.
- Audit-ready records — transparent logs of who accessed data and when are essential during investigations.
- Regular security checks — automated vulnerability scanning should be standard, not exceptional.
Waulter CMP is built with data minimization and transparent consent management at its core. Consent records are encrypted, access logs are auditable, and no personal data is stored beyond GDPR requirements.
Sources: French Ministry of Interior — press release (April 22, 2026), TechCrunch, The Record (Recorded Future), CyberNews, SecurityAffairs, CNIL notification under GDPR Art. 33