ANSSI says the compromise of France's government messaging platform Tchap only exposed public chat rooms, but the alleged attacker claims access to 73,000 accounts and restricted documents. With CNIL now notified, the gap between the two accounts is exactly where users' rights hang in the balance.
French authorities are working through server logs this week to answer a question that matters to tens of thousands of public sector employees: when an account on the government's encrypted messaging service was hijacked, how much did the intruder actually see?
The official answer and the attacker's answer are not even close.
What happened
The incident surfaced on June 7, when France's National Cybersecurity Agency (ANSSI) flagged suspicious activity on Tchap, the state's homegrown messaging tool used across ministries and public sector organizations. Tchap is built on the open-source Matrix protocol and was created as a sovereign alternative to commercial apps like WhatsApp and Telegram, specifically so that government communications would not flow through foreign servers.
The French Digital Affairs Directorate (DINUM), which runs the platform, said it moved quickly to block the affected account and open an investigation. According to the government, the attacker hijacked a single account and could only read messages posted in public chat rooms, the spaces any Tchap user can find and join. Private conversations, officials stressed, are end-to-end encrypted, so their contents stay unreadable even when an account is taken over.
A cyber criminal claiming responsibility paints a far larger picture. The person said they got in by social engineering a valid agent account tied to Tchap's education environment, then claimed to have accessed more than 73,000 user accounts, roughly 643,000 messages, nearly 60,000 media files, and hundreds of chat rooms. The post, circulated by Dark Web Intelligence, also alleged that a directory search function allowed user enumeration and that some data referenced documents marked "Diffusion Restreinte," a French restricted-distribution classification.
None of those claims have been independently verified. DINUM's public statement says nothing about a directory exposure, restricted documents, or the data volumes the attacker cited.
The legal basis
This is where the breach stops being only a technical story and becomes a data protection one. France notified its data protection authority, the CNIL, after concluding that personal information may have been exposed through content shared in conversations the attacker could reach.
That notification is not a courtesy. Under the General Data Protection Regulation, a controller that suffers a personal data breach must notify the supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to people's rights and freedoms (Article 33). If the breach is likely to result in a high risk, the controller also has to inform the affected individuals directly (Article 34). The fact that DINUM went to CNIL tells you the government does not consider the risk negligible, whatever its public messaging about "limited" exposure suggests.
GDPR applies to public bodies, not just companies. A government ministry processing employee and citizen data carries the same Article 5 obligations around integrity and confidentiality as any private controller, and the same accountability requirement to demonstrate compliance. Public authorities in France are generally shielded from the administrative fines that the CNIL can levy on private firms, but they are not shielded from formal reprimands, corrective orders, or the reputational cost of a regulator's finding.
Impact on users and the state
For the people who use Tchap, the practical exposure depends entirely on what the logs show. The government's framing rests on a single technical claim: public chat rooms are not encrypted, private ones are, and so a hijacked account leaks only the public side. If that holds, the harm is real but contained, limited to whatever personal details users typed into open rooms against the platform's own rules.
If the attacker's account is closer to the truth, the picture changes sharply. User enumeration through a directory search would mean the breach exposed who is on the platform, not just what they said. A list of 73,000 government and education accounts is itself sensitive data, useful for phishing, impersonation, and targeted follow-on attacks. References to restricted-distribution documents would push the incident from a privacy problem into a national security one.
The gap between the two stories is the whole story right now. ANSSI and DINUM say investigators are still determining which conversations were accessed and whether any data was exfiltrated. Until that work finishes, users are being asked to trust an account of events that the alleged perpetrator directly contradicts.
There is a quieter accountability question underneath the technical one. The reported entry point was social engineering of a legitimate agent account in the education environment, not a flaw in the encryption. That pattern, a valid credential turned against the system, is the same one behind a long run of public sector breaches in France, including the case prosecutors recently linked to a 15-year-old at the state's secure document agency. Strong cryptography does not help when the attacker simply logs in as someone who is allowed to be there.
What changes
In its message to users, the government leaned on its own terms of service. "A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted," officials said, adding that "no personal, sensitive, or confidential information should be exchanged in public chat rooms."
That reminder is sensible, but it also quietly shifts responsibility toward the people who used the tool. A platform that lets any account read public rooms, and reportedly lets users be enumerated through search, has design choices to answer for regardless of what its terms say. Reminding 73,000 people to be more careful is not the same as fixing the conditions that let one hijacked account become a mass-access incident.
The meaningful changes will come from the investigation. Three outcomes are worth watching. First, CNIL's response: whether it opens its own inquiry and whether it concludes affected individuals should have been notified directly. Second, the log analysis: a clear public accounting of how many accounts and messages were actually reachable, which would settle the dispute between the government and the attacker. Third, the access controls themselves: whether DINUM tightens directory search, account recovery, and the privilege boundaries that allowed an education-environment account to matter platform-wide.
Sovereignty was the entire point of building Tchap. Keeping government data on French infrastructure removes one category of risk, the foreign-jurisdiction problem, but it does nothing about social engineering, weak account recovery, or over-broad search functions. A breach run through a legitimate login looks identical whether the servers sit in Paris or Virginia. The lesson for any organization running its own secure messaging is that owning the stack is the start of the security work, not the end of it.
For now, the people whose data may be involved are left waiting on the logs, holding two irreconcilable versions of what happened to it.
Comments
Please log in or register to join the discussion