Data breaches: CNIL raises the alarm after a record year

It's hard to be clearer: in 2025, France broke its own record for personal data breaches. The CNIL (French Data Protection Authority) recorded 6,167 notifications, a 9,5% increase year-on-year. A dry, administrative figure, but behind it lie names, addresses, social security numbers, and sometimes health information. And a stark finding: approximately half of the recorded incidents stemmed from hacking.

Three major areas of focus are being scrutinized: government, healthcare, and finance and insurance. This is no small matter. These are sectors where information is worth its weight in gold, sometimes more than a safe, and where the slightest vulnerability can have a significant impact on the daily lives of French citizens. The CNIL (French Data Protection Authority) also points out that its report does not include certain waves of cascading data breaches related to software shared by professionals, a detail that changes the scale of the phenomenon.

When subcontractors become the weak link

This is where the modern mechanics of data leaks become apparent: a single incident can generate thousands of notifications. The CNIL (French Data Protection Authority) cites the attacks targeting Weda in November and Harvest in February, two cases which, on their own, generated more than 11,600 notifications from client companies, despite stemming from a single event. The domino effect, digital version. And in this game, service providers, often smaller and less well-equipped with security measures, find themselves at the center of the action, sometimes without the resources to defend themselves.

The start of 2026 shows no signs of slowing down; on the contrary, more than 2,730 breaches have already been recorded in the first quarter alone, a clear sign of acceleration. In recent months, significant leaks have affected a wide range of stakeholders, from sports federations to hotel chains, and even the National Agency for Secure Documents (ANTS). In other words, no one is observing this from the sidelines: we're all affected.

Faced with this attack-driven economy, the head of the CNIL (French Data Protection Authority), Marie-Laure Denis, warns that "no one is spared." She points to the market value of data, particularly health data, and the role of artificial intelligence, which automates and personalizes these attacks. The announced response: stricter controls and more stringent enforcement measures, to be intensified in 2026, with a rule that leaves no room for error: notification within 72 hours in the event of a risk to individuals. It remains to be seen whether this tightening of regulations will be enough to quell the surge or whether the coming year will confirm that data leaks have, unfortunately, become a mere background noise.