French prosecutors have charged a 15-year-old suspect, operating under the alias "breach3d," in connection with the theft of up to 18 million records from France Titres (ANTS), the state agency responsible for issuing passports, ID cards, and other secure documents. The Paris Prosecutor's Office formally opened a judicial investigation on April 29, 2026, after the minor was detained on April 25. If verified at the upper bound, the breach would affect roughly one-third of France's population.

What Happened

France's office against cybercrime (OFAC) was alerted in April to an intrusion against ANTS, with the agency confirming the incident internally on April 13. The Paris Public Prosecutor's Office was notified three days later and launched its investigation the same day. The French Interior Ministry publicly acknowledged the attack on April 20 without naming a suspect.

Police arrested the 15-year-old minor on April 25. On April 30, Public Prosecutor Laure Beccuau requested formal charges and judicial supervision. The suspect faces two computer crime allegations: fraudulent access to a state-run automated data processing system, and extraction of data from it. Each offense carries up to seven years in prison and a maximum €300,000 fine, though France's juvenile justice system emphasizes rehabilitation over incarceration.

What Was Taken

Prosecutors estimate between 12 million and 18 million lines of data were offered for sale on cybercrime forums. The seller "breach3d" initially advertised 18 to 19 million records, slightly above the official estimate. Stolen fields include:

Notably, no attachments such as document scans or biometric photos were exposed. Even without those, the dataset is a high-value target for identity fraud, phishing, and synthetic identity construction, given its association with passport and national ID issuance.

Why It Matters

A government identity agency is the worst-case custodian for this category of PII to lose. The records map directly to individuals who hold or have applied for state-issued identity credentials, making the dataset particularly attractive for downstream fraud against banks, telcos, and government services that rely on these same data points for verification.

The case also underscores a recurring pattern: state systems holding citizen identity data are being compromised by individual actors, often young, with limited resources but significant access. The gap between the sensitivity of the data held and the maturity of the controls protecting it remains a persistent strategic risk for public sector defenders.

The Attack Technique

Specific intrusion vectors have not been disclosed by French authorities. The charges, fraudulent access to and extraction from an automated data processing system, suggest unauthorized access through technical means rather than insider abuse, but neither prosecutors nor ANTS have published indicators of compromise, exploited vulnerabilities, or initial access methodology. The data was monetized through cybercrime forums where breach3d marketed the trove for sale before law enforcement attribution.

What Organizations Should Do

  1. Audit access to citizen identity datastores. Enforce least-privilege on any system holding identity-document fields and require strong authentication plus session monitoring for administrative interfaces.
  2. Instrument exfiltration detection. Egress volumes consistent with multi-million-row dumps should trigger alerts; baseline normal query patterns and flag bulk reads against PII tables.
  3. Monitor cybercrime forums for branded data. Threat intelligence teams in government and regulated sectors should track marketplace listings referencing their organization or citizen ID schemas.
  4. Plan for downstream fraud. Banks, telcos, and verification providers serving the French market should expect a wave of identity fraud attempts using these fields and tighten knowledge-based verification.
  5. Tabletop the public-disclosure timeline. ANTS confirmed internally on April 13 but public confirmation came on April 20; align internal IR playbooks with regulatory disclosure obligations to avoid gaps adversaries can exploit.
  6. Reassess the threat model for low-resource attackers. A 15-year-old extracting tens of millions of records suggests systemic control gaps, not nation-state tradecraft. Test against unauthenticated and lightly-authenticated attack paths.

Sources: French prosecutors link 15-year-old to gov mega-breach • The Register