Personal data belonging to foreign nationals residing in France was illegally published online earlier this month following a cyberattack linked to a subcontractor of the French Office for Immigration and Integration (OFII), authorities confirmed.
The data breach came to light on January 1, when a hacker posted files on a specialist online forum, claiming the attack was motivated by financial gain. The individual said the stolen information originated from OFII systems.
Two data samples were released publicly. The first contains information on fewer than 1,000 foreign nationals from countries including Ukraine, Cameroon, Afghanistan and China. The second file relates specifically to around 600 Israeli nationals currently or previously residing in France.
The leaked data includes highly sensitive personal details. According to the samples, information such as full names, dates of entry into France, reasons and types of residence permits, email addresses and phone numbers were exposed.
Contacted by Le Monde, OFII confirmed that a data theft had taken place but stressed that the intrusion did not directly compromise its internal information systems. Instead, the breach involved a third-party operator working on behalf of the agency.
“This is an intrusion that is not directly linked to OFII’s information system,” OFII Director General Didier Leschi said. He explained that the stolen data was accessed through a subcontractor authorized to handle certain immigrant records.
The information concerns individuals who participated in the contrat d’intégration républicaine (CIR), or republican integration contract. The CIR is a mandatory program for foreign nationals seeking long-term residence in France.
Under the CIR, immigrants commit to attending civic education and French language courses designed to support integration into French society. OFII oversees the program but relies on external operators to carry out parts of its implementation.
According to Leschi, one such operator had access to personal data related to the CIR and was used to extract the information now circulating online. Authorities have not yet determined whether the subcontractor was itself hacked or whether there was internal complicity.
“At this stage, we do not know whether the operator was the victim of a cyberattack or whether there was a form of collusion,” Leschi said, adding that investigations are ongoing.
OFII said it intends to file a formal complaint in connection with the breach. The agency also plans to impose sanctions on the operator involved and strengthen cybersecurity requirements for all subcontractors handling sensitive data.
The incident has raised fresh concerns about the security of personal data managed by state-linked agencies, particularly when private operators are granted access to sensitive information.
Cybersecurity experts have repeatedly warned that subcontractors can represent weak points in institutional data protection systems. Even when core databases remain secure, external partners may lack equivalent safeguards.
The breach may also have legal implications under European data protection rules. The General Data Protection Regulation (GDPR) requires organizations to ensure that any third parties handling personal data comply with strict security standards.
French authorities have not disclosed whether affected individuals have been notified, nor whether the data has been removed from the forum where it was initially posted.
For foreign nationals, the exposure of immigration-related data carries particular risks, including identity theft, harassment, or targeting based on nationality or legal status.
As investigations continue, the case underscores the growing challenges faced by public institutions in securing sensitive personal data in an era of increasingly sophisticated cyberattacks and complex outsourcing arrangements.