Intel Brief: France: Criminal Data Broker Mega-Aggregation Exposes 45M Citizens

Cybernews researchers have confirmed the discovery of a publicly exposed cloud database containing approximately 45 million French citizens' records; one of the largest data exposures in French history. The archive is not the result of a single breach. It is a compiled dataset built from at least five separate prior incidents, merged into a single searchable resource by what researchers believe was a criminal data broker maximizing resale value. The server has since been secured, but the data had already been assembled, indexed, and exposed.

What Happened

The database was found sitting on an unsecured cloud server with no authentication required. Cybernews researchers identified it as a compound dataset, aggregated from multiple prior breaches rather than sourced from a single intrusion. The compilation includes records from voter registries, healthcare systems, financial institutions, and vehicle registration databases; all merged into one cross-referenced archive.

The server has been taken down, but the exposure window is unknown. When a dataset like this is assembled and left open, the working assumption must be that it was accessed by malicious actors before discovery.

What Was Taken

The database contained four distinct data categories:

Voter/demographic registries: 23+ million entries including full names, home addresses, and dates of birth
Healthcare registries: ~9.2 million records linked to France's RPPS/ADELI professional healthcare registries; covering registered medical practitioners and patients
Financial profiles: ~6 million records including IBANs and BICs tied to French banking institutions
Vehicle registration and insurance data: Scope unspecified but included in the compiled archive
CRM-style contact records: ~6 million entries with contact and personal identification data

The combination is what elevates severity. Each dataset alone is damaging. Cross-linked, they produce complete identity dossiers: name, address, DOB, bank account details, healthcare status, and vehicle ownership in a single query.

Why It Matters

This is a data broker operation, not a targeted hack; and that distinction makes it more dangerous at scale. Someone did the aggregation work so buyers don't have to. The resulting dataset enables:

Spear phishing at scale: Attackers can reference correct name, address, and bank with high confidence, making social engineering significantly more convincing
Account takeover and fraud: IBAN/BIC data combined with identity records is sufficient to initiate fraudulent bank transfers in many EU banking environments
Synthetic identity creation: Full DOB + address + financial data is the standard toolkit for credit fraud and loan applications
Healthcare identity theft: RPPS/ADELI registry data can be used to impersonate medical professionals or fraudulently access healthcare services

France is not an isolated case. This follows a pattern of criminal data brokers aggregating national-scale breach data into premium packages for resale on dark web markets. The compiled nature also creates cross-border exposure; anyone who used French financial or healthcare services, worked in France, or holds dual nationality may have records in the underlying source breaches.

The Attack Technique

This was not a zero-day or advanced intrusion. The immediate failure was a misconfigured cloud storage bucket or server with no access controls; a finding consistent with the majority of large-scale data exposure incidents. The more significant operational failure is upstream: the underlying data came from at least five prior breaches that fed into this compilation. The data broker who assembled it exploited existing breach datasets, not live systems. No initial access technique was required beyond purchasing or obtaining previously leaked data.

The exposure vector that allowed discovery was simply an unauthenticated public endpoint; the compiled database was accessible to any internet scanner.

What Organizations Should Do

Audit cloud storage for public exposure immediately. S3 buckets, Azure Blob containers, and GCS buckets should have explicit deny-public policies enforced at the organizational level, not left to individual configuration. This class of incident is entirely preventable.
Assume your users are in this dataset. Any organization serving French customers should treat IBAN, contact, and identity data as actively at risk. Harden authentication flows (particularly for account changes, payment updates, and password resets) against social engineering using accurate personal data.
Review data minimization policies. The aggregation that made this dataset valuable was enabled by organizations retaining more data than necessary for longer than necessary. Enforce retention limits.
Deploy anomaly detection on financial transactions. With IBAN/BIC data in circulation, fraudulent transfer attempts using accurate account identifiers should be expected. Behavioral anomaly detection on payment flows is the relevant control.
Brief customer-facing staff on high-confidence phishing. When attackers have accurate PII, social engineering success rates rise sharply. Staff who handle account verification, password resets, or payment changes are the target; they need updated awareness that callers with correct personal details are not automatically legitimate.
Monitor dark web markets for dataset sales. The assembly and exposure of this archive suggests active monetization intent. Organizations with French customer bases should run threat intelligence monitoring for derivative sales of this data.

Sources

Massive French data breach exposes 45 million records