Cyber Incident Victim: Mairie de Thaon-les-Vosges
Date:
Mar 2025
Location:
France
Summary
The Mairie de Thaon-les-Vosges suffered a cyberattack where hackers stole 9GB of data, including personal information of residents and employees, from its municipal server and demanded a multi-million euro ransom. The municipality did not pay the ransom and promptly reported the incident to the CNIL and law enforcement agencies like the ANSSI and regional gendarmerie cybersecurity unit. While unconfirmed reports suggested the stolen data was sold on the dark web, the mayor stated no information confirmed actual sales at the time, with the investigation ongoing; the attack occurred while the town hall was migrating its data to an externalized, more secure system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2025, the town hall of Thaon-les-Vosges experienced a cyberattack. Employees first detected anomalies when they encountered difficulties accessing certain information stored on the municipal server. This access disruption served as the initial indicator of compromise. Subsequently, the attackers directly communicated a ransom demand to the municipality. The hackers sought payment of several million euros in exchange for restoring access or not disclosing stolen data. Mayor Cédric Haxaire explicitly stated that the town did not pay the demanded ransom, citing the unaffordable amount. Upon receiving the ransom demand, Mayor Haxaire promptly filed a formal complaint with law enforcement authorities. He also reported the incident to the French data protection authority, the CNIL (Commission nationale de l'informatique et des libertés). The primary focus of the response was to mobilize specialized cybersecurity resources for investigation and recovery. Key entities engaged included the French national cybersecurity agency, ANSSI (Agence nationale de la sécurité des systèmes d'information), and the Grand Est regional cybersecurity unit of the gendarmerie, which took the lead on the criminal investigation.
The attackers successfully exfiltrated approximately 9 gigabytes of data from the town hall's server, which held a total of about 1,000 gigabytes (1 terabyte) of information. Reports from the media outlet Zataz indicated that the stolen data, allegedly consisting of citizen name changes and the personal identities and contact details of employees and elected officials, was potentially offered for sale on the dark web. However, Mayor Haxaire clarified that, as of the reporting date, the town hall had no confirmed information regarding any actual sale of this data, acknowledging it was possible but unverified while the investigation continued. The cyberattack occurred during an ongoing project to enhance municipal data security. The town hall was already in the process of migrating its data to an externalized hosting solution, aiming to eliminate the need for an on-premises server and strengthen overall security posture. Mayor Haxaire expressed that this migration, accelerated by the incident, would lead to a more secure environment for municipal data in the future.