Urssaf Data Breach: 12 Million Employees Exposed Via …

Urssaf Data Breach: 12 Million Employees Exposed Via ...

The year 2026 opens on a worrying note for the cybersecurity of French public administrations. URSSAF has disclosed that a cyberattack, specifically targeting the application programming interface (API) of the Pre-Employment Declaration (DPAE) service, enabled the viewing and extraction of personal data belonging to 12 million French employees.

What is known about the method used? « Initial investigations show that fraudulent access to the DPAE API was carried out via a partner account authorized to view these details. The login credentials linked to this account had been stolen during a prior cybercrime incident targeting this partner, » URSSAF notes, adding that its information systems themselves were not compromised.

Sensitive data, but only partially limited

The compromised information includes first names, last names, dates of birth, hire dates, and the employer’s SIRET number. However, URSSAF seeks to reassure those affected by clarifying that the most sensitive data remained secure: no Social Security number, banking details, postal address, e-mail address, or telephone number were exposed.

Despite this apparent limitation, cybersecurity experts warn that even partial data can serve as a basis for sophisticated phishing campaigns or be combined with other data leaks to facilitate identity theft.

The DPAE: a vital service at the heart of the breach

The pre-employment declaration is a mandatory formality that every employer must complete within the eight days preceding the hire of an employee who falls under the general Social Security regime. This declaration bundles several essential administrative steps: employer registration, affiliation to the unemployment insurance scheme, enrollment in an occupational health service, and the organization of the information and prevention visit.

Read also: How URSSAF equipped itself with a SIEM and then reinternalized its SOC

Employers who have made more than 50 hiring declarations in the previous calendar year are required to complete their DPAEs online, either via the urssaf.fr portal, net-entreprises.fr, or by using the DPAE API. It is precisely this last option that served as the attack vector exploited by the cybercriminals.

In response to the incident, URSSAF acted quickly by suspending access to the compromised account and strengthening the authorizations of its partners. The agency also filed a notification with the National Commission on Information Technology and Civil Liberties (CNIL), in line with legal obligations relating to data protection, as well as a complaint with the public prosecutor.

URSSAF assures that employers can continue to use the pre-employment declaration service as usual, and that security measures have been reinforced to prevent such an incident from recurring.

A call for vigilance against phishing

URSSAF urges the affected employees to exercise extreme caution in the face of phishing attempts. The agency reiterates the fundamental security rules: never disclose passwords or banking information by phone or e-mail, even if the request appears to come from an official organization.

The stolen data can indeed enable cybercriminals to carry out ultra-targeted phishing campaigns, posing as URSSAF or other administrations with real information about their victims, making fraud attempts all the more credible.

A grim run of incidents affecting the French public sector

This hacking comes in a context of heightened cyber threats against French public actors. Last week, the Hubee platform, operated by the Interministerial Directorate for Digital Affairs (DINUM) for the exchange of administrative documents, was hacked, exposing 70,000 files representing 160,000 documents containing personal data.

The end of 2025 had already been marked by breaches at the Ministry of the Interior and the Ministry of Sports. Moreover, in November 2025, URSSAF’s Pajemploi service suffered a data theft affecting 1.2 million employees of private employers of childminders and home-based caregivers, compromising information such as names, dates and places of birth, postal addresses, and Social Security numbers.

These successive incidents reveal the persistent vulnerability of the information systems of French administrations to cyberattacks and underscore the urgency of strengthening the cybersecurity of digital public services.

 
What to do if you are affected?
  • If you were hired in the last three years, your data may potentially be among those exposed.
  • Increase vigilance for emails, text messages, or calls claiming to be from URSSAF or other agencies.
  • Never disclose personal or banking information in response to unsolicited requests.
  • Always verify the authenticity of websites before entering sensitive information.
  • Monitor your accounts and report any suspicious activity immediately.
  • If in doubt, contact URSSAF directly through official channels.
Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.

© 2025 Dawn Liphardt