France ID Agency Breach Exposes Up to 19 Million Records in Major Cyberattack

France's National Agency for Secure Documents (ANTS) is investigating a significant data breach that cybercriminals claim exposed up to 19 million records, potentially affecting one-third of the country's population. The French Interior Ministry confirmed a security incident affecting the ants.gouv.fr portal but has not verified the scale of the compromise.

The breach was detected April 15 and may have exposed personal data including login IDs, full names, email addresses, dates of birth, postal addresses, and telephone numbers tied to user accounts. Officials emphasized that the disclosed data does not include documents submitted during identity procedures, such as passport scans or attachments, and does not allow unauthorized account access.

A threat actor operating under the aliases "breach3d" and "ExtaseHunters" posted on criminal forums claiming to have stolen between 18 and 19 million records from ANTS internal infrastructure. The seller described the data as a fresh "structural" compromise rather than a compilation of previously leaked information, and is actively marketing the database to other criminals.

The timing marks another public-sector security incident for France in recent months. The Education Ministry recently disclosed an intrusion involving impersonation of authorized staff accounts on the ÉduConnect platform used by students and families. Earlier this year, attackers accessed part of France's national bank account registry, exposing data linked to approximately 1.2 million accounts. In March, 15.8 million medical records were stolen from the French health ministry.

Technical investigations are ongoing to determine the origin, extent, and duration of unauthorized access. The agency has not disclosed the attack vector or how long intruders may have maintained access to systems before detection.

In separate cybersecurity developments, a Florida ransomware negotiator pleaded guilty to conspiring with BlackCat/ALPHV ransomware operators to attack U.S. companies. Angelo Martino, 41, admitted to sharing confidential victim information—including insurance policy limits and negotiation positions—with attackers while ostensibly representing victims. He received payments from the ransomware gang and helped deploy attacks against multiple organizations in 2023.

Martino and two co-conspirators extorted approximately $1.2 million in Bitcoin in one instance, splitting the proceeds. Federal authorities seized more than $10 million in assets including digital currency, vehicles, a food truck, and a luxury fishing boat purchased with scheme proceeds. Martino faces up to 20 years in prison at sentencing scheduled for July.

The case highlights conflicts of interest in the ransomware negotiation industry, where third-party intermediaries often operate without regulatory oversight. Martino was a former employee of cybersecurity firm DigitalMint, which stated it terminated involved employees upon learning of DOJ allegations and had no knowledge of the scheme.

Check Point Research reported this week that "The Gentlemen" ransomware group has become the second most active extortion operation globally, underscoring persistent threats despite law enforcement disruptions of major gangs like BlackCat following the FBI's takedown efforts last year.

Sources: The Register, Gizmodo, U.S. Department of Justice, Check Point Research This story is developing.