Overview
- CNOUS, which runs student services, said Tuesday that data tied to 774,000 appointments over the past decade were exfiltrated from its mesrdv.etudiant.gouv.fr site, including 139,000 users with uploaded attachments and 635,000 with basic details like name, email, subject and date.
- The appointment platform is now offline for fixes, CNOUS has notified the CNIL privacy regulator and filed a complaint, and the agency will contact each affected person with next steps.
- Separate to the student case, the Education Ministry confirmed a March 15 intrusion into Compas, its HR tool for trainee teachers, exposing about 243,000 personnel records with names, postal addresses, phone numbers, absence periods and tutors’ professional landlines.
- The ministry says an external account takeover enabled the Compas breach, which its security center detected on March 19, and an entity calling itself “Hexdex” has posted sample records for sale, prompting formal alerts about likely phishing and identity fraud attempts.
- Outlets tracking the incidents report a broader pattern, with the Catholic education secretariat citing a distinct breach of administrative data for about 1.5 million people, and watchdog site FrenchBreaches highlighting hacker claims of large Crous data dumps that officials have not detailed.