Pass'Sport French Government Youth Sports Subsidy Program Breach (2025): 6.4 Million Household Contact Records Exposed :: Initially Misattributed to CAF

Executive Summary

A data file from France's Pass'Sport youth sports subsidy program was published on a hacking forum in December 2025. The file was initially misattributed to CAF, the French family allowance fund, until security researchers identified that it cross-referenced beneficiaries from three separate French agencies, CAF, MSA, and CNOUS, in a combination only the Pass'Sport program would assemble. Each record carried a Pass'Sport-specific identifier (id_psp) confirming the attribution. The Ministry of Sports subsequently acknowledged the incident.

The published file reportedly contained around 22 million rows reflecting cumulative Pass'Sport activity from 2022 through 2025, with the same household appearing multiple times across years. After deduplication, the file covered approximately 3.5 million unique households, with around 6.4 to 6.5 million unique email addresses indexed by Have I Been Pwned. Compromised fields included names, email addresses, phone numbers, gender, and physical addresses. The longitudinal nature of the file allowed beneficiary records to be tracked across multiple years, with the data on minor beneficiaries gradually transitioning from parent-linked contact details to the young person's own contact details upon reaching adulthood.

For affected individuals, the practical risk is concentrated in targeted phishing and household-level impersonation. The combination of full name, address, phone, and gender is a strong base for fraudulent messages purporting to come from Pass'Sport, CAF, or affiliated sports clubs, particularly during the annual subsidy enrolment cycle. Young adults whose data appeared in the file face an additional risk because the historical record can be used to craft messages that reference their childhood sports participation. Affected households should treat unsolicited contact about Pass'Sport, sports-club registration, or government allowances with caution and verify any communication through the official pass.sports.gouv.fr channel.

Breach Impact

The institutional impact has fallen primarily on the Ministry of Sports and on its supply chain of administrative subcontractors. Public reporting characterised the incident as another major weakness in the State's outsourcing chain for citizen data. The Ministry issued a statement acknowledging the breach, but the practical burden of customer notification fell to Pass'Sport beneficiaries discovering the issue through breach-tracking services and press coverage rather than direct outreach. There is no public record of formal CNIL enforcement action against the Ministry as of this writing. Reputationally, the breach added to a pattern of French government-sector data incidents that has fed broader political debate about state cybersecurity capacity.

About Pass'Sport

Pass'Sport is a French government-backed subsidy program designed to reduce the cost of sports participation for eligible young people, administered by the Ministry of Sports, Youth, and Community Life (Ministère des Sports, de la Jeunesse et de la Vie Associative). Eligible beneficiaries include minors and young adults whose households receive certain social allowances or who meet other income-based criteria. The program issues a financial allowance that can be used at affiliated sports clubs and associations across France. To administer the subsidy, the Ministry combines beneficiary data drawn from multiple government agencies including CAF (the family allowance fund), MSA (the agricultural social welfare fund), and CNOUS (the national student welfare body).

Why They Hold Your Data

Public subsidy and access programs collect beneficiary identity, contact information, eligibility records, household-linked details, and participation data tied to government funding and sports access workflows.

Recent Developments

The Ministry of Sports publicly acknowledged the December 2025 incident after data circulating on hacking forums was independently attributed to the Pass'Sport program. The leak was initially misattributed to CAF until French security researchers analysed the file structure and identified the cross-agency data combination as unique to Pass'Sport. The breach surfaced alongside a series of other French government-sector incidents in late 2025 and early 2026, including the French Football Federation, the French National Bank Account Registry, and the ANTS identity-document agency. French data-protection regulator CNIL has continued ongoing oversight of public-sector incidents.