Sovereign, hosted by the Ministry of the Interior’s cloud, exclusively reserved for French state agents, ultra-secure… All this will not have prevented Tchap messaging from being the victim of a cyberattack, the Interministerial Digital Directorate (Dinum) announced on Monday June 8. According to the specialist site FrenchBreaches, a hacker claimed responsibility for the attack on the dark Web, claiming to have extracted more than 643,000 messages and the data of 73,000 public officials from the application.
Launched in 2019 by Dinum, the application had to be gradually downloaded by all public officials, at the request of Prime Minister François Bayrou. This, “in order to ensure the security of conversations and shared information”, as well as France’s digital sovereignty. Also, it is via this messaging system and no longer on WhatsApp, Signal or Telegram that all professional exchanges between ministries and prefectures take place.
Tchap was developed specifically for the public sector. Downloadable on smartphone, tablet and computer, this messaging looks almost like the others. It also encrypts messages end-to-end, meaning that only the sender and the receiver have the ability to read the sent message. But unlike popular messaging services, it has the advantage of having its servers hosted in France. The State therefore controls the infrastructure and developments.
The use of the tool had been widespread to prevent senior officials from sending each other classified documents via instant messaging accessible to the general public – like Jean-Jacques Urvoas, former Minister of Justice, convicted of “violation of the secrecy of the investigation” for having sent via Telegram a secret judicial note to LR deputy Thierry Solère.
This forced migration was also carried out to prevent the professional exchanges of state agents from being recovered by Washington thanks to the Cloud Act. Promulgated by the United States in 2018, it forces companies to hand over their data to the American authorities, if the latter require it.
Global vulnerability
In the same circular, François Bayrou was also concerned about the “increasing number of cyberattacks” that administrations were facing. Attacks from which Tchap was supposed to protect them, which had been validated by Anssi, the National Agency responsible for the security of information systems.
But if the security of the application had been called into question when it was launched – a bug in its system for verifying email addresses during registration had allowed a researcher to bypass the filter supposed to reserve access only to state agents – the cyberattack of June 8 is not attributed to a technical defect. Rather, a global vulnerability, which allowed the hacker to browse all ministerial discussion spaces by infiltrating a single user account. End-to-end encryption protects private messages, not access to collaborative spaces accessible to all users, i.e. some 400,000 public agents.
The hacker would thus have managed to plunder the collaborative spaces of several ministries, including those of the interior, the armed forces, foreign affairs and the economy. Among the documents concerned, 90 would be marked “restricted distribution”, attributed to sensitive information but not protected by defense secrecy, specifies FrenchBreaches.
Increasing number of cyberattacks
This new data leak adds to an already long list of attacks carried out against French IT systems in 2026. Thus the France Titles (ANTS) platform, which issues secure identity documents, suffered a leak in April potentially affecting 11.7 million accounts, a few months after 160,000 documents had been extracted from HubEE, a platform intended to carry out administrative procedures.
To prevent these data thefts from affecting the very top of the French state, senior civil servants and senior military officials are equipped with an ultra-secure telephone. From the beginning of the 2010s and for almost a decade, it was the Teorem model, manufactured by Thales, which was distributed to them. Exclusively composed of French parts, compatible with defense secrecy and ultra-secure, it was however shunned by civil servants due to its lack of practicality. It was replaced in 2019 by a phone from the Korean brand Samsung and modified for the government by Ercom, a French company specializing in digital security.
