Cyber Incident Victim: Caisse des Dépôts

On Wednesday 12 February 2025, the Caisse des dépôts informed franceinfo that a breach of personal data had occurred affecting 70 000 individuals. The breach involved the fraudulent use of login identifiers belonging to several public employers that access the Caisse des dépôts’ retirement‑fund platform. These identifiers were used to gain illegitimate access to personal data of affiliates of the Ircantec retirement scheme. The Caisse des dépôts manages retirement funds and provides the platform that enables state, local‑authority and health‑establishment employers to fulfil their obligations to the retirement regimes it oversees.

All 70 000 affected persons are affiliated to the Ircantec scheme, comprising contract agents of the state, territorial and hospital public services, local elected officials and hospital practitioners. Among them, approximately 1 000 are elected officials. The Caisse des dépôts stated that it had notified the concerned individuals by mail or letter. It also indicated that it had taken the measures necessary to remedy the data violation and to limit negative consequences for the affiliates.

Fraudulent connections that enabled the illegitimate accesses have been blocked. Control over account creation on the platform has been strengthened. The security of the information system has been reinforced, and precautionary checks are being performed to verify the absence of any irregular act from the personal spaces of affiliates managed by the Caisse des dépôts. All partners of the group have been informed so that they may put in place or adjust their alert systems for abnormal activity on their data processing.