France confirms a breach at the agency behind national IDs and passports

France has confirmed a data breach at Agence Nationale des Titres Sécurisés, or ANTS, the government agency that manages national ID cards, passports, driver’s licenses, and immigration documents. The agency said on Wednesday that attackers may have stolen personal data tied to user accounts on its portal, and that affected people are being notified.

This is the kind of breach that matters beyond France because identity-document systems sit close to the center of civic life. When an attacker gets names, birth details, addresses, and contact information from a government identity platform, the immediate risk is not just embarrassment. It is phishing, impersonation, account recovery abuse, and a longer tail of fraud that can keep surfacing long after the original intrusion is contained.

According to ANTS, the exposed data may include login IDs, full names, email addresses, dates of birth, and unique account identifiers, with some records also including postal addresses, places of birth, and phone numbers. The agency said it detected the incident on April 15 and notified France’s data protection authority CNIL, the Paris public prosecutor, and ANSSI, the national cybersecurity agency. ANTS also said the stolen information does not by itself allow access to its online services.

As first reported by TechCrunch, outside reporting from BleepingComputer points to a threat actor claiming to hold as many as 19 million records and offering the dataset for sale. That figure remains unconfirmed, and ANTS has not publicly disclosed how many people were affected, so the safe reading for now is that the breach is serious but still being scoped. That distinction matters because confirmed exposure and claimed haul size are not the same thing.

The practical implication is straightforward. Even if no passwords or direct portal access were exposed, this dataset would be valuable for highly targeted scams pretending to come from ANTS or other state services. Users in France should treat unsolicited emails, calls, and SMS messages about identity documents with extra caution over the next several weeks. Source: TechCrunch, citing ANTS’ public notice and follow-up reporting.