TL;DR: A massive database containing over 45 million French citizen records was discovered sitting unprotected on a cloud server. The data includes voter registries with full names, addresses, and birthdates; healthcare professional records; banking details with IBANs; and vehicle registration data. Researchers believe criminals compiled this from at least five different breaches to create comprehensive "identity graphs" for fraud. If you're French, assume criminals have your complete identity profile.

What Was Found

On January 14, 2026, Cybernews researchers discovered an unprotected cloud database hosted in France containing data from multiple sectors of French society:[1]

  • 23+ million voter/demographic records: Full names, addresses, birthdates
  • 9.2 million healthcare professional records: Mirroring official French registries
  • 6 million financial profiles: Including IBANs and BICs from French banks
  • 6 million vehicle/insurance records: Linking people to their cars
  • 6 million CRM contact records: From customer management systems

This isn't a typical corporate breach. The data comes from at least five unrelated sources. Someone collected, combined, and stored stolen data from multiple breaches into one comprehensive identity database.[2]

The Identity Graph Problem

This breach reveals a growing criminal tactic: building "identity graphs."

Instead of selling individual breach datasets, sophisticated criminals now combine data from multiple sources:

Cross-Reference

Match a person's voter record to their healthcare data to their banking info. Now you have their complete profile.

Fill Gaps

One breach has addresses, another has phone numbers, a third has birthdates. Combined: complete identity theft kit.

Higher Value

A unified profile sells for more than fragments. Criminals are becoming data brokers, but without any rules.

Synthetic Identities

Complete profiles enable creating fake identities that pass verification. Bank accounts, credit cards, loans, all in your name.

This database wasn't assembled by accident. Someone spent significant effort aggregating breach data to create maximum damage potential.

What Criminals Can Do With This

With voter data, healthcare records, banking details, and vehicle information combined, attackers can:

  • Identity theft at scale: They have everything needed to impersonate you: name, address, birthdate, bank account numbers
  • Highly targeted phishing: "This is your bank. We noticed unusual activity on your account ending in [your actual IBAN digits]."
  • Account takeovers: Security questions like "What's your date of birth?" or "What's your address?" are useless when criminals have the answers
  • Medical fraud: Healthcare records enable fake insurance claims and medical identity theft
  • Social engineering: Call pretending to be from government agencies, citing real registration numbers and personal details

Why This Matters Beyond France

This breach pattern (criminals aggregating data from multiple sources) isn't unique to France. It's happening everywhere:

  • The Gravy Analytics breach exposed location data that can be cross-referenced with other datasets
  • Corporate breaches worldwide are being collected, combined, and resold
  • Data broker companies legally do the same thing. Criminals just skipped the "legal" part

The scary truth: criminals are building the same comprehensive profiles that data brokers and advertisers build. The difference is what they do with them.

What You Can Do

Assume Compromise

If you're French, assume your identity data is in criminal hands. Act accordingly: freeze credit, enable fraud alerts, monitor accounts closely.

Don't Trust Caller ID

Criminals have enough info to impersonate banks, government, healthcare providers. Verify independently: call back using official numbers, not ones provided.

Enable Transaction Alerts

Get notified of every transaction on your bank accounts. Catch fraud early when you can still reverse it.

Strengthen Authentication

Security questions are worthless when criminals have the answers. Use authenticator apps and hardware keys where possible.

The Systemic Problem

This database existed because:

  1. Multiple organizations collected sensitive data
  2. Multiple organizations got breached
  3. Criminals aggregated the stolen data
  4. A cloud server was left unprotected

Regulators focus on individual organizations protecting data. But when criminals aggregate breaches faster than companies can secure them, individual security measures become meaningless.

Your data protection is only as strong as the weakest organization that holds your information. And there are thousands of organizations with your data.

References

  1. Cybernews - 45 Million French Records Exposed in Massive Data Leak (January 14, 2026)
  2. TechDigest - 45 Million French Citizens Exposed in Criminal Data Collection (January 2026)
  3. CNIL - French Data Protection Authority