During a hearing in the French Senate, Interior Minister Laurent Nuñez detailed the details of the cyberattack that hit his ministry, immediately clarifying that some of the information remains covered by cyber secrecy and an ongoing judicial investigation.
The minister reconstructed the sequence of events: the alert was triggered on November 25, when the General Directorate of the National Police detected the password changes to several email accounts. Subsequent investigations determined that the intrusion involved only National Police email accounts.
According to Nuñez , the attacker took control of the compromised accounts and used them to perform targeted searches, typing keywords related to secrets, application names, and passwords. This operation was made possible by a serious lack of digital hygiene: some employees were exchanging login credentials directly via email.
Thanks to this information, the hacker was able to access a portal containing around 150 police applications . Seven of these were actually accessed, including the TAJ (criminal records management system), the FPR (wanted persons registry), and the Interpol databases, all containing extremely sensitive data.
From the TAJ, which contains approximately 19 million records, 72 individual records were exfiltrated. Additionally, “several tens of thousands of rows” of summary data were stolen, containing basic information such as name and marital status, but lacking the reason for registration. From the FPR database, 23 complete records and approximately 3,000 summary entries were stolen. Regarding Interpol, ten records were consulted, and only one was actually exfiltrated.
The minister wanted to clarify a fundamental aspect: neither the modification nor the destruction of the data occurred. The attacker did not alter the files or compromise ongoing operational procedures. The goal of the attack was solely to exfiltrate information, presumably for resale purposes.
A 22-year-old man was arrested as part of the investigation. He was already known to law enforcement for swatting —anonymous calls intended to entice police intervention —and for hijacking telephone lines.
The intrusion was also claimed on a data trading forum by “Shiny Hunters,” likely in retaliation for a previous police operation. No “active signs of attack” have been detected since mid-December . The last indication of an intrusion dates back to December 16, while the arrest occurred the following day.
Nuñez finally outlined the urgent corrective measures taken. All email account passwords were reset, and approximately 1,000 obsolete accounts were deactivated. Technical teams conducted an in-depth forensic analysis to reconstruct every attacker’s movement within the systems, precisely identifying the seven compromised applications and access to two other portals, although no concrete actions were detected on these portals.
At the same time, two-factor authentication was immediately introduced for all applications on the affected portal and will be gradually extended to the Ministry’s entire IT system.
The minister acknowledged that this is a challenging change for an administration with approximately 300,000 users and hundreds, if not thousands, of IT systems. However, he acknowledged that the transition is inevitable: ” You can’t go from a simple password to strong authentication overnight without profoundly impacting the organization.”
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
