French University Services Website Breach Exposes 774,000 Records

What happened

A French university services website breach exposed 774,000 records tied to an appointment platform used for social and housing services. The affected website, mesrdv.etudiant.gouv.fr, is used by students to book appointments with university service centers known as Crous. Cnous said 774,000 individuals were affected. Of that total, 139,000 had uploaded documents stolen, while 635,000 were affected by a more limited leak involving names, email addresses, and scheduled appointment details. Cnous said the exposed information spans the past decade. In response, the organization secured all compromised accounts, launched an investigation to determine the source of the breach, filed a report with CNIL, and began a formal complaint process. The platform was also temporarily closed to reinforce security measures. 

Who is affected

The direct exposure affects 774,000 individuals who used the mesrdv.etudiant.gouv.fr appointment platform for Crous services. The impact is direct for 139,000 people whose uploaded documents were stolen, while 635,000 others were affected through exposure of names, email addresses, and appointment details. 

Why CISOs should care

This incident is significant because it involves a long-running student services platform holding both personal information and uploaded documents across a ten-year period. It also shows how a breach in an administrative platform can trigger account lockdowns, regulatory reporting, formal complaints, and temporary service shutdowns. 

3 practical actions

1. Separate document storage from scheduling systems: Review whether appointment platforms unnecessarily hold uploaded documents alongside routine scheduling data, since both categories were exposed in this incident. 
2. Plan for rapid service shutdown and notification: Ensure public-facing service platforms can be temporarily closed, accounts secured, and affected individuals directly notified when a breach is confirmed. 
3. Align breach response with regulators early: Treat regulatory notification and formal complaint preparation as immediate parallel workstreams when personal and administrative data is exposed.

For more coverage of major security incidents affecting organizations worldwide, explore our reporting on Data Breaches.