French prosecutors link 15-year-old to mega-breach at state’s secure document agency

Two computer crime allegations follow up to 18M lines of data surfacing online

by · The Register

French prosecutors say police detained a 15-year-old on April 25 over the alleged theft of millions of records from France Titres (ANTS), the agency handling secure documents.

The Paris Prosecutor's Office announced on Thursday that the minor, suspected of using the online alias "breach3d" and not named because French law protects minors, faces two computer crime allegations linked to an intrusion in which between 12 million and 18 million lines of data were offered for sale on cybercrime forums.

It formally opened a judicial investigation on April 29, covering alleged fraudulent access to a state-run automated data processing system and the extraction of data from it.

Each offense carries a potential prison sentence of seven years and a maximum €300,000 (~$350,000) fine.

Public Prosecutor Laure Beccuau has requested that the minor, whose pronouns, like their name, were also not specified, be formally charged and placed under judicial supervision.

Beccuau said that France's office against cybercrime (OFAC) was informed in April of a cyberattack against ANTS, which handles passports, ID cards, and other secure documents, and that ANTS confirmed the reports on April 13.

The Paris Public Prosecutor's Office was notified three days later and launched an investigation into the case the same day.

Public confirmation of the attack came from the French Interior Ministry on April 20, although it revealed no details about the suspected culprit. French police detained the 15-year-old on April 25, and prosecutors announced [PDF] on Thursday that they were seeking formal charges and judicial supervision.

The seller using the alias "breach3d" initially advertised the data trove as containing 18-19 million records – slightly above the upper range cited by Beccuau on Thursday – and the types of data offered for sale aligned with what the Interior Ministry had described.

These were: login IDs, full names, email addresses, dates of birth, unique account identifiers, postal addresses, and telephone numbers, but not any attachments such as scans or photos.

If the scale claimed by breach3d holds up, and if the records each pertained to unique individuals, this would constitute a breach affecting roughly a third of France's population.

France's approach to punishing minors via its legal system is typically geared toward re-education and rehabilitation rather than prison time.

While those aged between 13 and 16 can face time in juvenile detention, it is often used as a last resort measure.

The maximum sentences and fines for the charges the 15-year-old in this case faces are upper limits imposed on adult offenders, and would likely be lowered substantially in cases involving a minor, like this one. ®

France’s digital directorate dumping Windows desktops, adopting Linux instead: Après ça, le déluge, as plans call for move away from plenty more American software and hardwareSimon Sharwood, 13 Apr 2026France buys nuclear supercomputing spinoff Bull from Atos for €404M: Paris makes sovereignty play as it becomes sole shareholderDan Robinson, 01 Apr 2026French cops free mother and son after 20-hour crypto kidnap ordeal: Latest in a string of cases that have earned France an unfortunate titleConnor Jones, 15 Apr 2026Mistral boasts code-proofing agent offers champagne performance on a budget bière: Formal code verification and testing offer a way around AI blind spotsThomas Claburn, 17 Mar 2026