Skip to content
Resources

Data Security

Data leaks and DAC8

Why DAC8 adds a sensitive crypto database to an environment already marked by mass leaks, misconfiguration and insider corruption.

Updated

Short answer

The DAC8 debate cannot assume that public or semi-public databases stay perfectly protected. No large database should be treated as permanently safe: public bodies, contractors, software vendors and insiders all create access points. Recent history shows the opposite of the security promise: mass leaks, compromised providers, diverted insider access.

DAC8 is especially sensitive because it combines civil identity, crypto activity and economic value. A single leak can transform a tax-reporting database into a criminal targeting tool. In 18 months, more than 100 million records of French citizens were compromised from databases run by the State or its contractors, and the link between leaks and violence is now asserted by the authorities: the Waltio breach directly served at least three kidnappings.

Key facts

8,613

breach notifications to the CNIL in 12 months (+45%)

24 / day

about one leak per hour

12.2M

people affected (+53%)

Forum Incyber / Hexatrust / CNIL, 2026 Barometer of personal data breaches (Sept. 2024 to Sept. 2025).

A very high-value database

A DAC8 database holds identity data and crypto data. That combination is more sensitive than a simple tax list: it crosses civil identity, crypto activity and economic value.

For an attacker, it can help prioritize victims, prepare coercion, or enrich data already available elsewhere.

Mass state leaks in France (2024-2026)

DateBodyVictimsData exposed
Jan. 2024Viamedis + Almerys33MNIR (social security number) + identity
Mar. 2024France Travail43MNIR, address, phone, email
Late 2025Cegedim Santé15MIdentity + 169,000 medical records
Jan. 2026FICOBA (DGFiP)1.2MBank details (RIB), IBAN, account holder identity
Apr. 2026Government mega-leak19MAddresses, emails, phone numbers
May 2026Almerys (new)15.4MNIR, contracts, insurers
May 2026DGSE (physical theft)n/aPolice station blueprints + Paris CCTV access

DAC8 relies on different administrations, systems, contractors and agents. The security of the whole depends on the resistance of the weakest link. The real question is not whether administrations intend to protect the data, but whether every connected system, every provider and every human access point will hold over time.

A single leak can be enough to turn a reporting obligation into a tool for criminal identification.

Insider access matters as much as hacking

The risk is not limited to an external hacker. An administrative database can be exposed through abusive insider access, misconfiguration, a compromised contractor or an illegitimate extraction.

The more a database is shared, the more human and technical access points it creates. DAC8 and CARF multiply the places where sensitive data can circulate, and therefore increase this exposure surface.

When the leak creates the attack: the documented pattern

FFTir case (October 2025). 250,000 sport shooters and 750,000 former license holders exposed on the dark web. The Paris Public Prosecutor confirmed that “these data were used to commit thefts by breaking and entering or by impersonation (use of a false capacity)”: between 20 and 30 burglaries / home-jackings within a few weeks.

Waltio case (January 2026). French crypto tax-calculation platform: about 50,000 users exposed (emails, gains/losses, value indicators, identity). The hackers claimed that these data served at least 3 kidnappings, totaling more than $17M extorted. The Paris Public Prosecutor opened an investigation.

Insider corruption and state precedents

  • Ghalia C. (DGFiP, Jan. 2026): an agent of the DIRCOFI in Bobigny was jailed for consulting and passing on addresses and tax profiles to criminals, specifically targeting cryptocurrency investors. The DAC8 pattern reproduces exactly the conditions exploited, but at the European level.
  • Equalize (Italy, 2024-2026): corrupt police officers accessed tax, police and bank databases to exfiltrate more than one million records, resold or used for blackmail. DAC8 multiplies these entry points by 27.
  • NRA Bulgaria (2019): the tax data of 5 to 7 million citizens, nearly the entire adult population, exfiltrated through “basic” techniques. It only takes one of the 27 administrations to be the weak link.

Le Parisien, 26 Nov. 2025 (FFTir) and Jan. 2026 (Ghalia C.) · Cybernews, 9 Feb. 2026 and Forbes, 14 Feb. 2026 (Waltio) · Reuters / Euronews (Equalize) · Wikipedia & Reuters, 16 July 2019 (NRA Bulgaria).

The crypto specificity

Leaked crypto data can stay useful for a long time. A public address can keep revealing future movements if the user cannot compartmentalize or cleanly migrate their funds.

The leak is therefore not limited to the past: it can create permanent surveillance. For crypto data, the consequence can go beyond identity theft: it can enable physical targeting.