Cyber Incident Victim: Métropole du Grand Paris

In February 2025, the Métropole du Grand Paris (MGP) discovered unauthorized extraction of personal data from its servers. The intercommunal administration confirmed the breach after detecting fraudulent access during that month. Compromised information included names, first names, telephone numbers, and personal or professional email addresses of approximately 5,000 individuals. Among those affected were 250 MGP staff members, 208 elected officials, and various organizational partners associated with the metropolitan authority. The incident came to light when multiple employees reported receiving suspicious communications attempting to exploit the leaked data. Financial information and banking details remained unaffected by the breach according to official statements. MGP promptly filed a criminal complaint against unknown perpetrators for fraudulent personal data collection, breach of trust, and unlawful extraction from automated processing systems.

The organization implemented strengthened security protocols immediately following the detection to investigate the attack's origins and limit further exposure. These measures included enhanced monitoring systems and corrective technical controls to prevent additional cyber intrusions. MGP committed to ongoing oversight of the incident through regular updates on remediation efforts. This breach aligns with a pattern of cyberattacks targeting French metropolitan administrations, including prior incidents affecting Nantes, Angers, and Dijon in late 2024, and a 2020 ransomware attack that paralyzed Aix-Marseille-Provence's operations. No operational disruptions or ransomware demands were reported in the MGP case, with impacts confined to personal data exposure. The investigation remains active through judicial channels as authorities work to identify the responsible parties.