Eiffage 2026 Data Breach

Eiffage 2026 Data Breach

Construction & Engineering / Construction & Concessions / Diversified building, civil engineering and infrastructure group / France (global operations)

Eiffage 2026 Data Breach

Major French construction and concessions group (BTP), one of Europe's largest, active in building, civil engineering, energy systems and infrastructure concessions.

Confirmed · ObscureIQ Intelligence
Breach Risk Index i
0/100
Lower riskHigher risk
Lower: limited current risk based on data value and recency.
Data Sensitivity i
Standard
Exposed data is largely lower-sensitivity. Standard identity-protection precautions are advised.
333k rowsRecords
2026Year

The Breach Risk Index (BRI) is a proprietary 0–100 score rating how dangerous a breach is right now, based on how recently the data has been circulating on the dark web and how valuable it is to attackers.

Classification Tags
LAPSUS$Ransomware / ExtortionConstruction & EngineeringConstruction & ConcessionsEmployees/Customers2026

Breach Summary

On or about February 25, 2026, the LAPSUS$ extortion group compromised Eiffage through its use of the NextSend file-transfer platform, exfiltrating and then publishing 77 files covering roughly 175,942 individuals: about 50,336 internal employees and 125,606 external contacts (clients, subcontractors, partners and recipients). Reported exposed data spans names, professional addresses and, for some parties, financial information. This entry tracks about 333,000 circulating records; the reported affected count is 175,942.

Full threat analysis, exploitation vectors, and principal guidance below.

10 additional sections · verified field analysis · defensive doctrine

Querying breach corpus…
Cross-referencing exposed field types…
Resolving threat-actor attribution…
Compiling principal risk advisory…

333k rows records analyzed

About Eiffage

Eiffage is a major French construction and concessions group, one of Europe's largest, active in building, civil engineering, metal, energy systems, roads and infrastructure concessions (motorways, airports). Publicly listed and headquartered near Paris, it reported roughly EUR 25 billion in 2025 revenue and employs tens of thousands across France and abroad.

Why They Hold Your Data

As a large construction and concessions group, Eiffage holds employee records and extensive external-contact data for clients, subcontractors and partners, including names, professional contact and address details and, for some parties, financial information handled through procurement and file-exchange systems.

Recent Developments

On February 25, 2026 LAPSUS$ listed Eiffage, claiming to have exfiltrated 175,942 records via the NextSend file-transfer platform and publishing 77 files; French reporting put the affected population at 50,336 internal employees and 125,606 external contacts. Eiffage is a listed EUR 25B-revenue group.

Data Points Exposed

1 verified field types
Full Name

Breach Impact

The breach exposes both Eiffage employees and a large external ecosystem of clients and subcontractors, creating GDPR notification obligations across France and the EU and reputational pressure amplified by LAPSUS$'s public shaming of a listed EUR 25B group. Exposure via a file-transfer platform highlights third-party and data-in-transit risk.

Principal Risk Advisory

What this means for a principal

A consumer-service breach: contact and account data supports phishing, account takeover and profile enrichment. For a high-profile principal the main risk is credible impersonation and enrichment of existing exposure.

What You Should Do

  1. Do not use unofficial 'am I affected' lookups; several are themselves harvesting operations.

How ObscureIQ Can Help

  1. Corpus confirmation: determine whether and where the principal (plus household and staff) appear in this dataset and which specific fields are exposed for them.
  2. Exposure mapping: cross-reference the exposed identifiers against broker-available data to size and prioritize the principal's wider footprint.
  3. ThreatWatch tuned to this incident's identifiers and misuse pattern (impersonation and targeting patterns, not generic credential monitoring).
L
Threat Actor: LAPSUS$Confidence: High
Extortion group

Motivation: Financial extortion, notoriety
An international extortion-focused group notorious for 2022 attacks on Microsoft, Nvidia, Samsung, Okta, Uber, Rockstar Games, T-Mobile and the Brazilian Ministry of Health. Does not use conventional ransomware; pure data theft and extortion.

Read the full threat-actor profile →

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation