The Agence Nationale des Titres Sécurisés (ANTS), the French government agency responsible for issuing secure identity documents, has confirmed a data breach after a threat actor claimed to have exfiltrated 19 million records. The incident places one of France's most sensitive citizen-facing platforms at the center of a major identity-data exposure event.
What Happened
ANTS officially acknowledged unauthorized access to systems tied to its digital document issuance services. A threat actor publicly claimed possession of approximately 19 million records drawn from the agency's databases, which support applications for passports, national ID cards, driver's licenses, and vehicle registration certificates. The agency confirmed the intrusion but has not publicly validated the full scope asserted by the attacker. Investigations by French national authorities, likely coordinated with ANSSI and CNIL, are underway.
What Was Taken
Although ANTS has not released a complete inventory, the records tied to its platform typically include:
- Full names, dates of birth, and places of birth
- Residential addresses and contact details
- National identification numbers and document reference numbers
- Application metadata tied to passports, ID cards, and driving permits
- Potentially vehicle ownership data linked to registration certificates (cartes grises)
With 19 million alleged records, the dataset could cover a substantial portion of French adult citizens who have interacted with ANTS services in recent years.
Why It Matters
Identity-issuance agencies sit at the apex of civil trust infrastructure. A breach at ANTS is not a commodity credential leak: it is source-of-truth identity data. Attackers holding this information can fuel high-fidelity social engineering, synthetic identity fraud, SIM-swapping, tax fraud, and targeted phishing against French citizens and expatriates. For allied intelligence services and adversaries alike, such a corpus is a strategic asset. The incident also raises pressure on EU member states to harden the public-facing perimeters of digital government services, a recurring soft target over the past two years.
The Attack Technique
ANTS has not disclosed a confirmed intrusion vector at time of reporting. Based on precedent across comparable government portal compromises, plausible avenues include:
- Credential abuse against partner or contractor accounts with portal access
- Exploitation of a vulnerable web-facing application or API endpoint
- Session token theft or abuse of an authenticated integration
- Scraping through a flawed authorization check allowing enumeration at scale
The scale of 19 million records suggests either direct database access or a systemic API authorization flaw rather than phishing of a single operator.
What Organizations Should Do
- Audit all public-facing identity and citizen-service APIs for broken object-level authorization (BOLA/IDOR) and enforce strict rate limiting.
- Rotate credentials, API keys, and session tokens for any integrations that touch citizen identity datastores, and revoke stale third-party access.
- Deploy anomaly detection on bulk-read queries and enumeration patterns against identity tables, with alerting on unusual volumetric access.
- Validate that database-level encryption, field-level tokenization, and strict logging are in place for PII stores.
- Brief fraud, call-center, and citizen-support teams on elevated social-engineering risk targeting French nationals citing legitimate ANTS details.
- Coordinate with ANSSI and sector CERTs for shared indicators and monitor dark-web forums for sale or leak of the claimed 19M dataset.
Sources: French agency ANTS confirmed data breach, hacker claims 19 million records | Ukraine news - #Mezha