Personal data breach: how to react without panicking

"A ransomware-type cybersecurity incident has recently affected part of our information system: some of your data is concerned." This is an anxiety-inducing sentence that appears more and more frequently in messages we receive. When this happens, here is how to respond in practical terms.

Field

Éthique

Keywords

CybersecurityCarbon FootprintPersonal data

By Charlotte Leriche

February 10, 2026

16 min

Share this article

On social networks

Crédit : Wesley Tingey

Data breaches are happening one after another and are increasing in number. Handling 90 million parcels each year, Colis Privé had already suffered an attack in 2021. In October 2025, France Travail was once again the victim of a data breach—the third after the massive leak in July 2025 and the one in February 2024. On November 14, 2025, “up to 1.2 million employees of private individual employers” were affected by a data breach at Pajemploi, the service of the Union for the Collection of Social Security and Family Benefit Contributions (URSSAF) dedicated to the declaration and payment of childminders and in-home childcare workers.

When it comes to telecom operators (Orange, Free, Bouygues Telecom, SFR…): nearly all of them have been affected at least once in the past two years. Not to mention the more than 33 million people impacted by the data breach affecting Viamedis and Almerys (two operators in charge of third-party payment for complementary health insurance) in 2024. It is therefore very likely that our data has been affected at some point by a data breach. How should we react when it happens to us?

What is a personal data breach (or violation)?

It is “a breach of security leading, whether accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.”

General Data Protection Regulation (GDPR)

In concrete terms, the data “leaks” as a result of unauthorized access or disclosure. The origin of such a breach may be:

  • accidental: for example, sending an email containing personal information to the wrong recipient.
  • malicious: for example, a cyberattack involving a third party gaining access to a database.

How can I know if my data has been leaked?

If a data breach poses a high risk to rights and freedoms (for example identity theft, financial loss, or reputational damage), the organization is required to inform the affected individuals as soon as possible (according to Article 34 of the GDPR). This communication may be sent directly to individuals (email, SMS, etc.) or via general information on the website, such as an alert banner (only if there is no way to contact the affected individuals directly).

To properly inform individuals, the communication must at a minimum include and explain, in clear and simple terms (according to Article 33 of the GDPR):

  • the nature of the breach,
  • the likely consequences of the breach,
  • the contact details of the person to reach (Data Protection Officer or other contact),
  • the measures taken to remedy the breach and, where applicable, to mitigate its possible negative effects.

This information is often accompanied by recommendations for affected individuals in order to reduce risks and consequences. For example, users may be asked to change their password, check the integrity of the data associated with their online account, or be extra vigilant regarding phishing emails (a scam technique aimed at tricking users into disclosing personal information).

What are the risks if I am a victim of a data breach?

Depending on the situation and the nature of the disclosed information, a personal data breach may have multiple consequences: identity theft, cyberbullying, hacking of online accounts, targeted phishing attempts, scams, fraud, extortion, or damage to one’s image or reputation. The data may also be resold to other cybercriminals.

Through a survey, the French Data Protection Authority (CNIL) sought to “better quantify the costs of different types of harm” suffered by individuals (financial loss, behavioral changes) associated with the fraudulent use of personal data.

The results of this survey show that 41% of respondents have experienced at least one fraudulent use of their personal data over the past three years. Among them, 21% suffered financial harm.

CNIL

“Across all cases, the average declared financial loss amounts to €740. The type of incident leading to the highest average financial loss is identity fraud (€915). More than one in two people who suffered harm over the past three years stopped using a digital service afterward.”

FRAUDULENT USE OF PERSONAL DATAPREVALENCESHARE LEADING TO HARMSHARE LEADING TO MORAL HARM (STRESS, ANXIETY)SHARE LEADING TO FINANCIAL HARMAVERAGE FINANCIAL LOSS
Identity fraud16%70%28%24%€915
Unsolicited marketing24%35%15%29%€691
Financial fraud or attempted fraud5%65%26%75%€592
Disclosure of “compromising” information7%76%27%18%€609
Blackmail or harassment4%71%19%13%€450
Fraudulent uses of personal data perceived over the past three years by respondents in a Harris Interactive survey (commissioned by the CNIL), conducted online from December 18 to 23, 2024, on a representative sample of 2,082 people living in France aged 15 and over.

What should you do in the event of a personal data breach?

If you are informed of a possible breach of your personal data, here are the main measures you can take (to be adapted depending on the nature of the data concerned and the type of breach):

  • Change your password on all sites or accounts where you use it. Best practice is to never reuse the same password. In the event of a breach, using identical passwords allows cybercriminals to access all your accounts, significantly increasing the amount of exposed data.
  • Be extra vigilant regarding phone calls or messages requesting confidential information (codes, passwords, bank card numbers, copies of ID documents, etc.) or the validation of (often “urgent”) banking transactions. If in doubt, contact the organization directly to verify the origin of the message or call.
  • Check login activity: your information may have been modified or orders placed without your knowledge. In the event of suspicious activity, contact the organization immediately.
  • Report the unauthorized disclosure of your data to the organizationand request its removal from pages, accounts, or messages publishing your personal information. Here are reporting links for major social networks:
  • Request the de-indexing of your disclosed personal data. Here are data removal request forms for major search engines:
  • File a complaint with the CNIL if you believe your personal data has not been sufficiently protected.
  • You may also join a class action or collective legal action.

If your data is fraudulently used

You may file a complaint with the police station or gendarmerie you depend on. You may also submit your complaint in writing to the public prosecutor of the judicial court with jurisdiction over your area.

If your banking data has been leaked

Monitor your accounts regularly. If you notice fraudulent transactions, immediately block your payment methods with your bank. You may also inform your bank of the disclosure of your IBANso it can increase monitoring of your account.

The CNIL has published resources on best practices to adopt online.

The national platform cybermalveillance.gouv.fr has also published a quick-reference guide on personal data breaches to help you adopt good cybersecurity practices and know how to react if you are affected.

How can you protect yourself against personal data breaches?

While knowing how to react after an attack is important, reducing the risk of your data being leaked in the first place is even more crucial. Here are some good online habits to adopt:

  • Minimize the information you publish: the less data online, the lower the risk in the event of a breach. Unsubscribe from or delete unused accounts and exercise your right to have your data erased, using the CNIL template letter.
  • Restrict access to your data: regularly check your account privacy settings (especially public/private visibility).
  • Use a secure channel to transmit confidential documents(ID card, payslip, tax notice, bank details, etc.).
  • Do not save login credentials or payment details for one-time purchases.Using a single-use virtual card with a capped amount can also limit risks.
  • Secure your accounts: use different, strong passwords for each site and application, and enable two-factor authentication whenever possible. Using a certified password manager (such as KeePass or LockPass) is strongly recommended.
  • Apply software, app, and device updates to fix security vulnerabilities. Enable automatic updates whenever possible.

You can also help fight cybercrime by:

References:

Cyberattacks:

Regulations:

Risks related to cyberattacks:

What should I do if I am a victim?