Hack Exposes Home Addresses of 243,000 French Education Workers, Raising Fears of Targeted Scams

A cyberattack on France’s national education system has exposed personal data for roughly 243,000 government employees, including home addresses and phone numbers, information that can turn a routine data breach into a roadmap for targeted fraud.

France’s Education Ministry said the intrusion hit a human-resources tool called Compas, used to manage and track student teachers and their supervisors. The breach occurred March 15, 2026, was detected March 19, and disclosed publicly March 23, after a sample of the stolen data had already surfaced on data-resale sites.

A breach inside France’s school system HR pipeline

The attack targeted Compas, an internal HR platform used to administer trainee teachers in France’s primary and secondary schools, roughly the equivalent of a system used to manage student teachers and early-career educators across U.S. K–12 districts.

Tools like this don’t just store names. They typically hold the practical details administrators need to place, supervise, and evaluate staff: identities, contact information, and employment-related notes. When an attacker gets in, the payoff isn’t a generic directory, it’s a set of profiles that can be exploited in the real world.

The ministry said it shut down access to Compas while it checks other systems for signs the intruder may have moved laterally. That’s standard containment, but it can also disrupt day-to-day operations, pushing staff toward workarounds like spreadsheets and email chains that can create new security headaches.

Home addresses and phone numbers: the detail that changes the risk

According to the ministry, the compromised data includes first and last names, home mailing addresses, and phone numbers. That combination is especially valuable to scammers because it makes impersonation easier, and more convincing.

With an address and a phone number, criminals can move beyond spam and into tailored social engineering: calls that sound like they’re coming from a regional education office, texts that mimic internal procedures, or letters sent to a home that “prove” the sender knows who you are. The goal is often to extract login codes, bank details, or identity documents.

The breach also includes information about periods of absence, though not the reason for the absence. Even without the “why,” that kind of administrative detail can be used to craft believable hooks, messages claiming a leave file needs to be “regularized,” for example, or that paperwork is missing.

Supervisors who mentor trainee teachers were also affected, with their names and work landline numbers included. That widens the pool of potential victims and creates more angles for impersonation, posing as a supervisor to pressure a trainee, or as an administrator to pressure a supervisor.

Data already advertised for sale under the name “Hexdex”

The ministry said an entity using the alias “Hexdex” posted a sample of the data on resale sites. In the underground data market, that kind of teaser functions as proof, bait for buyers and a signal that broader exploitation may follow.

Even a partial dump can be enough to launch large-scale phishing and phone-based scams. And once data is copied and reposted, it can be nearly impossible to claw back.

France’s cyber authorities and privacy watchdog are now involved

The Education Ministry said it has referred the case to ANSSI, France’s national cybersecurity agency, similar in role to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and to CNIL, the country’s powerful data-protection regulator, which enforces privacy rules akin to Europe’s GDPR framework.

The ministry also said it is preparing to file a formal criminal complaint in Paris. Investigators will likely focus not only on who broke in, but on whether safeguards were adequate and whether affected employees were notified quickly enough to protect themselves.

The timeline is already drawing attention: four days between the intrusion and detection, and several more before public disclosure. Governments often argue they need time to confirm what happened before sounding alarms. But when data is already circulating for sale, every day can increase the odds that more copies spread, and that more people get targeted.

A wave of attacks on French public agencies

The breach lands amid a string of cyber incidents hitting French institutions since late 2025. In recent weeks, a national office tied to Catholic education in France reported an attack exposing administrative data tied to about 1.5 million people. French media have also reported breaches affecting the Interior Ministry and the Sports Ministry, including one incident involving data tied to roughly 3.5 million people.

The Education Ministry emphasized that those databases are separate from Compas. Still, the pattern is clear: public agencies hold huge volumes of personal information, and attackers keep probing for the less-visible systems, specialized HR and administrative tools, that can become soft targets.

For the 243,000 employees caught up in this breach, the immediate concern is practical: how to spot a fake call, a convincing text, or a letter that looks official. The larger question for France, and any government running sprawling digital systems, is whether security investments can keep pace with the growing number of platforms, vendors, and access points that expand the attack surface.