Decoding the world of cybersecurity

Tchap breach tests French messaging

France says a compromised Tchap account exposed public rooms and account data for fewer than 9% of registered users.

Tchap breach tests French messaging
Summary
  • DINUM confirmed a Tchap account compromise on 7 June 2026, analysed with ANSSI and notified to CNIL.
  • France says private encrypted conversations remained protected, while public rooms and basic user data may have been exposed.
  • The incident raises public-sector identity, collaboration, and digital sovereignty issues for European government systems.

DINUM, France’s interministerial digital directorate, has confirmed a security incident affecting Tchap, the encrypted messaging service used by French public-sector workers, after a user account was compromised on 7 June 2026.

The French government said the incident was signalled and analysed in coordination with ANSSI, with DINUM teams moving to confirm the compromise, determine its perimeter, and take immediate protective measures. The account behind the malicious requests was identified and blocked to remove the attacker’s persistent access.

In its incident notice, DINUM said Tchap supports both public and private conversations. Private conversations are encrypted, and DINUM said the history of private encrypted conversations is not accessible even in the event of account impersonation. The potentially consulted exchanges were therefore limited to public conversations, which are open to all Tchap users and not encrypted.

The confirmed exposure still reaches a meaningful scale. DINUM said 73,467 agents were likely concerned by the incident, out of more than 825,000 registered agents, representing fewer than 9% of users. Potentially exposed account data includes at least names, first names, email addresses, organisational affiliation, and avatars.

The investigation remains incomplete. DINUM said it is continuing to review event logs to identify which conversations the attacker could access and the nature of any exfiltrated data. It has notified CNIL, France’s data protection authority, because personal data may have been compromised through information shared in conversations accessible to the attacker.

Tchap is part of France’s public-sector digital sovereignty strategy, intended to give government workers a state-managed alternative to foreign commercial messaging platforms. The incident shows that sovereign control and encryption do not remove ordinary exposure created by account compromise, user behaviour, public-room design, and operational logging.

DINUM’s distinction between private encrypted conversations and public rooms is important. It also shows how collaboration systems can expose information even when their core encryption model remains intact. Public rooms may support broad internal communication, but their discoverability and lack of encryption make them unsuitable for sensitive material. DINUM has reminded all users that personal, sensitive, or professionally confidential information should not be exchanged in public rooms.

European public-sector bodies have become increasingly dependent on collaboration platforms that sit between internal communication, document sharing, operational coordination, and political administration. Attackers do not need to break a secure platform if they can obtain a valid account and exploit areas where user behaviour and system design create accessible data.

Broader claims have circulated about the volume of data obtained by the attacker, including messages and files. Those claims remain alleged unless independently verified or confirmed by French authorities. DINUM’s confirmed account is narrower, but still consequential: a government communications platform suffered account compromise, public-room content may have been accessed, and tens of thousands of public-sector users may have had account data exposed.

Further updates from DINUM and the outcome of the CNIL notification will determine whether the incident remains a contained public-room exposure or points to wider data compromise inside a sovereign government collaboration platform.

×