Massive Hack Hits French Catholic Schools Network, Exposing Data on 1.5 Million Students, Parents, Staff

A major cyberattack on France’s national Catholic education office exposed identifying and contact information tied to roughly 1.5 million people, mostly elementary-age students and their families, according to the organization.

The breach, confirmed by the Secretariat-General for Catholic Education (known in France as the SGEC), targeted an administrative management app used by Catholic preschools and elementary schools. Officials say they shut down affected services, began securing systems, and alerted government authorities, including France’s privacy watchdog.

So far, the SGEC says there’s no indication that bank or medical data was exposed. But the information that did leak, names, addresses, emails, phone numbers, and birth dates, can be enough to fuel highly targeted scams.

What happened, and who the SGEC is

The SGEC is the national coordinating body for Catholic education in France, a large private-school network that operates under contracts with the French state. Think of it less like a single school district and more like a nationwide umbrella organization that supports thousands of schools.

The SGEC said the attack occurred March 21, 2026, and involved an application used for day-to-day administrative management in “first degree” schools, France’s term for preschool and elementary grades.

How big the exposure is

The organization estimates about 1.5 million people were affected, including roughly 800,000 elementary-level students and about 40,000 teachers, along with parents and other staff.

That doesn’t necessarily mean 1.5 million full student files were dumped online. But cybersecurity experts warn that even “basic” identity and contact data becomes dangerous at scale, especially when it’s tied to children and school communities.

What data was exposed, and why it matters

According to the SGEC’s public statements, the exposed information includes civil identity and contact details: first and last names, home addresses, email addresses, phone numbers, and dates of birth.

No passwords were cited in the initial disclosures. Still, that doesn’t let families off the hook. A scammer who knows a child’s name, school context, and a parent’s phone number can craft a message that looks and feels real, an “update your student file” text, a fake school portal link, or a call pretending to be an administrator verifying identity.

In the U.S., this is the same playbook used in school-themed phishing waves that mimic district robocalls, lunch-account notices, or “emergency contact” updates, except here the attackers may have a ready-made, verified contact list.

Why families could see a spike in phishing attempts

Even without account access, leaked birth dates and addresses can help criminals bypass weak identity checks or convince victims they’re dealing with a legitimate office. It’s the difference between a generic spam email and a message that correctly names a child and references school paperwork.

Schools can also get hit indirectly. When staff are flooded with worried calls and emails, attackers sometimes exploit the chaos, posing as vendors or administrators and pushing fraudulent payment requests or “urgent” wire transfers.

What officials are doing now

The SGEC said it suspended impacted services and launched an incident-response effort to secure access and investigate how the attackers got in. The group also said it notified France’s Ministry of National Education, the central government body that oversees the country’s education system.

It also plans to report the incident to CNIL, France’s powerful data protection authority, roughly comparable to a mix of the FTC’s consumer-protection role and state-level privacy regulators in the U.S. CNIL can require disclosures, oversee compliance steps, and impose penalties in serious cases.

What families are being told

For now, families are not being asked to take any urgent action, according to messages relayed through parent organizations. But the practical advice is familiar: treat school-related emails, texts, and calls with extra skepticism, especially anything that pressures you to click a link, share personal information, or “confirm” details.

The bigger question is what happens next. Once personal data is accessed, it can circulate far beyond the breached system, sold, repackaged, and reused for months. The SGEC’s technical cleanup may restore services, but rebuilding trust with families could take much longer.