The Proof of Concept Nobody Wanted
France’s national identity agency — the system managing every passport, ID card, and driver’s licence in the country — was breached by a 15-year-old exploiting an IDOR vulnerability so basic the attacker called it “really stupid.” 11.7 million records confirmed exposed. France was one of six EU member states rated “high preparedness” for the EUDI Wallet. The wallet that 450 million Europeans will use from December 2026 depends on these same government identity APIs for its initial provisioning. The certification standard does not yet exist. Part 4 of the EU Regulatory Landscape series.
This piece connects to Part 3 of the EU Regulatory Landscape series, which documented that the EUDI Wallet has no finalised security standard, no pan-European certification, and that fewer than one quarter of EU member states showed wallet-enabled applications at the Commission’s own testing event. France was identified as one of six member states showing high preparedness. France just became the most consequential data point in the entire series.
The Agency That Was Supposed to Be Ready
On April 15, 2026, the Agence Nationale des Titres Sécurisés — ANTS, now rebranded as France Titres — detected unauthorised access to its central portal. The agency manages every French passport, national ID card, driver’s licence, residency permit, and vehicle registration. It operates under the French Ministry of the Interior. It is one of the most sensitive government identity systems in Europe.
One day after the breach was detected, a threat actor using the alias “breach3d” posted a claim on criminal forums, alleging to hold between 18 and 19 million records drawn from ANTS systems, put up for sale at an undisclosed price. The exposed data includes full names, dates of birth, email addresses, postal addresses, phone numbers, and unique government account identifiers. Security researchers traced the attack to an Insecure Direct Object Reference vulnerability in the ANTS API — a flaw so basic the attacker called it “really stupid.”
A 15-year-old suspect was detained on April 25. The teenager, believed to have operated under the alias “breach3d,” offered between 12 and 18 million records for sale on hacking forums. The Paris prosecutor’s office has opened a formal investigation into the minor on computer crime charges.
ANTS published an update on the incident on April 24 confirming that 11.7 million accounts were impacted.
11.7 million confirmed. 19 million claimed. A 15-year-old with an API parameter manipulation tool. The agency responsible for the most sensitive identity documents in France — the country identified in ENISA’s own EUDI Wallet readiness assessment as one of six member states showing high preparedness — was breached by one of the most elementary vulnerability classes in the security taxonomy. No sophisticated tooling required. No nation-state resources. No advanced persistent threat. Just a teenager who noticed that changing a number in an API request returned someone else’s data.
That is not a sophisticated attack. That is a governance failure wearing the clothes of a cyberattack. And it lands at the precise moment that Part 3 of this series documented the EU preparing to deploy the EUDI Wallet — the authentication infrastructure for 450 million European citizens — without a finalised security standard.
France’s Breach Pattern and What It Reveals
The ANTS incident is not France’s first government data breach of 2026. It is the fourth.
France has been losing government data consistently. In February 2024, the French healthcare payment system through Viamedis and Almerys was breached, exposing data on 33 million people — nearly half the country. In early 2026, France’s national bank account registry FICOBA was breached, exposing 1.2 million accounts. In March 2026, the Ministry of Sports confirmed a breach of its systems. In 2025, Cegedim Santé, a healthcare data processor, was breached exposing medical records of 15 million French citizens. The ANTS breach in April 2026 represents the second incident targeting the same agency — a previously unverified breach in September 2025 reportedly exposed approximately 12 to 13 million records.
Read that sequence carefully. The same agency, breached twice in seven months. The second breach larger than the first. The technical fix applied after September 2025 did not close the vulnerability that April 2026 exploited. The remediation was incomplete, the security posture was insufficient, and the result was the largest administrative data leak in French history — detected four months after the country was identified as one of the EU’s most digitally prepared member states.
France’s rapid digitisation of government services, plus geopolitical and structural factors, has seen the number of cyberattacks surge. The attacker described exploiting the vulnerability and suggested the breach was meant to punish the French government for its security failures. “Despite all their talk about ‘security,’ their infrastructure has proven totally inadequate,” the hacker posted alongside the data listing.
The attacker’s framing — punishing a government that talks about security without practising it — is theatrics. The underlying observation is technically accurate. An IDOR vulnerability in a government API that handles passport and national ID applications is not an edge case that sophisticated adversaries discover through prolonged reconnaissance. It is a basic security control failure that a competent security review would identify in a routine penetration test. The question that the breach raises is not how a 15-year-old found it. It is why it was there to find — in the most sensitive identity infrastructure in France, in a country that the EU’s own readiness assessment characterised as highly prepared for digital identity deployment.
The EUDI Wallet Connection That Nobody Is Making Loudly Enough
Part 3 of this series closed with a sentence from the 2026 European Cybersecurity Certification Conference: Security Claims Must Be Proven — Not Promised. The France Titres breach is the proof arriving before the claim was adequately tested.
The EUDI Wallet that every EU member state must deploy by December 2026 is built on the same foundational assumption that ANTS was built on: that centralising identity credential management in a government-operated digital platform, with appropriate security controls, produces a system that citizens can trust with their most sensitive identity information. The EUDI Wallet’s privacy architecture is more sophisticated than ANTS — zero-knowledge proofs, decentralised credential storage on the user’s device, no central database in the strict sense. But the trust infrastructure that underlies it — the qualified trust service providers, the national wallet implementations, the API layers through which relying parties verify credentials — creates exactly the kind of interface surface that an IDOR vulnerability lives in.
Critics say the breach has exposed exactly why handing governments vast centralised databases of citizen identity information creates a dangerous single point of failure. What was once stored in localised offices and paper filing systems is now consolidated into internet-accessible databases that become prime targets for cybercriminals, foreign actors, and organised hacking groups.
The EUDI Wallet’s architects made a deliberate choice to avoid the centralised database model. Credentials are stored on the device. The wallet does not create the single database that ANTS represents. That architectural decision is genuinely protective and reflects the lessons of exactly the kind of breach France just experienced.
The vulnerability that the EUDI Wallet inherits from the France Titres breach is different and more subtle. It is the vulnerability of the onboarding process — the moment at which the EUDI Wallet is first provisioned, when the user’s identity is verified against government records to establish the initial credential. That verification process requires the wallet infrastructure to communicate with government identity systems. In France, that means the same agency, the same API layer, the same infrastructure that “breach3d” exploited with a parameter manipulation that a 15-year-old executed. That type of flaw allows an attacker to access another user’s data simply by manipulating a parameter in a request.
Need intelligence like this on a decision you're facing?
DSI Advisory Services helps boards, business leaders, defence institutions, and security leaders understand threats before they reach the horizon — where cyber, geopolitics, and business risk converge.