Cyber Incident Victim: Chronopost
Date:
Jan 2025
Location:
France
Summary
A cyberattack compromised personal data of 210,000 customers of a La Poste subsidiary, involving names, addresses, delivery signatures, and occasionally phone numbers. In a separate incident, attackers illicitly accessed data of 70,000 individuals affiliated with a public-sector pension fund managed by Caisse des Dépôts, including public contractors and local officials, though specific data types were not disclosed. Both breaches exploited unauthorized credential access—public employer credentials in the latter case—and were reported to regulatory authorities. The incidents raised concerns about potential fraud through social engineering tactics leveraging stolen information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late January 2025, Chronopost, a parcel delivery subsidiary of La Poste Group, experienced a cyberattack compromising the personal data of 210,000 customers. Attackers accessed names, addresses, delivery signatures, and in some cases telephone numbers from the company's systems. Chronopost publicly confirmed the breach on February 13, 2025, alongside a separate incident involving the Caisse des Dépôts (CDC), though the attacks were unrelated. The compromised Chronopost data originated from delivery proof records, exposing recipient information tied to package transactions. Chronopost notified France's data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), in compliance with legal obligations. No operational disruption to delivery services was reported, but the exposure of signatures and contact details created risks of identity misuse.
Around the same timeframe, attackers infiltrated systems managed by the CDC, specifically targeting Ircantec, a supplementary pension scheme for public sector workers administered by the institution. This separate breach affected approximately 70,000 individuals, including public service contract workers and 1,000 local elected officials. Intruders gained access using stolen login credentials from multiple public employers, enabling unauthorized entry to pension-related personal data. The CDC did not disclose specific data categories compromised but confirmed no fraudulent activities occurred within beneficiaries' accounts after conducting precautionary reviews. Both organizations issued notifications to affected individuals following the February 13 disclosures. The incidents highlighted risks of subsequent social engineering attacks, as stolen data could be weaponized for phishing scams via SMS, email, or phone calls leveraging exposed personal details.