France data leaks part 2  
Franceâs Quiet Data Leaks (2025): when state institutions themselves start leaking
An explainer for readers unfamiliar with how France actually works
Earlier we looked at government-adjacent bodies â federations, agencies, semi-public services. Unfortunately, 2025 didnât stop there. Core state institutions themselves were hit, including one of the most sensitive ministries in the country.
Short answer to your question: yes, the Ministry of the Interior was impacted. And that matters more than any sports federation ever could.
Letâs widen the lens.
The French state: one flag, many layers
From the outside, âthe French governmentâ sounds monolithic. In reality, itâs layered:
- Ministries (Interior, Justice, Finance, HealthâŚ)
- Inter-ministerial platforms (shared IT, document hubs, secure messaging)
- Agencies and operators (France Travail, URSSAF, OFIIâŚ)
- Delegated bodies (federations, professional organisations)
In 2025, breaches occurred at every level of this stack.
Ministère de lâIntĂŠrieur
This is the big one.
What it is: The Ministry of the Interior oversees police, gendarmerie, elections, immigration enforcement, national identity systems, and internal security. If a state has a nervous system, this is it.
What happened in 2025: In December, the ministry confirmed a cyberattack affecting internal IT systems, including email infrastructure. Access was cut, incident response teams were deployed, and investigations were opened with ANSSI and judicial authorities.
What data was exposed: Officials were careful â very careful â in their wording. They acknowledged unauthorised access but did not fully disclose the scope. At the same time, attackers claimed to possess highly sensitive datasets (law-enforcement records, flagged individuals, internal files). Those claims remain unverified, but the breach itself is not disputed.
Why this matters internationally: This isnât a leak of customer emails. This is a breach of a ministry responsible for internal security. Even partial access to internal communications is a strategic failure, regardless of what data was ultimately exfiltrated.
Shared state platforms: one breach, many victims
France has aggressively centralised digital services across ministries. Efficient on paper, fragile in reality.
HubEE / Service-Public document platforms
What they are: Inter-ministerial systems allowing citizens and businesses to upload official documents for administrative procedures.
What happened: Between late 2025 and early 2026, attackers exfiltrated tens of thousands of dossiers and over a hundred thousand documents â identity papers, certificates, scanned forms.
Why it matters: Once documents leave a government platform, they donât âexpireâ. Identity theft risk persists for years.
ANSSI â the irony layer
ANSSI is Franceâs national cybersecurity authority. It didnât leak data itself in 2025, but it was constantly in response mode, coordinating investigations across ministries and agencies.
The uncomfortable truth: France knows how to do cybersecurity. It just hasnât enforced it uniformly across its sprawling administrative ecosystem.
State agencies (not ministries, but close enough)
These were already covered, but they belong in the same article because, functionally, they are the state for citizens:
-
France Travail Employment, benefits, identity data â repeated incidents and regulatory sanctions.
-
URSSAF (including Pajemploi) Social identifiers and employment relationships exposed via service breaches and partner access.
-
Office Français de lâImmigration et de lâIntĂŠgration Foreign residentsâ data leaked through subcontractors â a classic third-party failure.
How this looks from the outside (and why itâs alarming)
For a non-French audience, the key insight is this:
In France, you cannot opt out of most of these systems.
You donât âchooseâ the Interior Ministry. You donât âpick another providerâ for social security. You donât unsubscribe from employment or immigration administration.
When these systems leak, entire life trajectories leak with them.
The real pattern behind 2025
This wasnât a year of genius hackers. It was a year of structural weakness:
- Over-centralised platforms
- Under-audited subcontractors
- Credential sprawl
- Political pressure to digitise faster than secure
The Ministry of the Interior breach is the clearest signal that no layer was immune â not even the core sovereign ones.
Final takeaway
France in 2025 offers a preview of a problem every digitised state will face:
When administration becomes software, governance is security.
Without ruthless accountability, âdigital public serviceâ quietly turns into âdigital mass exposureâ.
Thatâs not a French story. Itâs just France getting there early â and loudly.