Construction & Engineering / Construction & Concessions / Diversified building, civil engineering and infrastructure group / France (global operations)
Major French construction and concessions group (BTP), one of Europe's largest, active in building, civil engineering, energy systems and infrastructure concessions.
The Breach Risk Index (BRI) is a proprietary 0–100 score rating how dangerous a breach is right now, based on how recently the data has been circulating on the dark web and how valuable it is to attackers.
On or about February 25, 2026, the LAPSUS$ extortion group compromised Eiffage through its use of the NextSend file-transfer platform, exfiltrating and then publishing 77 files covering roughly 175,942 individuals: about 50,336 internal employees and 125,606 external contacts (clients, subcontractors, partners and recipients). Reported exposed data spans names, professional addresses and, for some parties, financial information. This entry tracks about 333,000 circulating records; the reported affected count is 175,942.
Full threat analysis, exploitation vectors, and principal guidance below.
10 additional sections · verified field analysis · defensive doctrine
333k rows records analyzed
Eiffage is a major French construction and concessions group, one of Europe's largest, active in building, civil engineering, metal, energy systems, roads and infrastructure concessions (motorways, airports). Publicly listed and headquartered near Paris, it reported roughly EUR 25 billion in 2025 revenue and employs tens of thousands across France and abroad.
As a large construction and concessions group, Eiffage holds employee records and extensive external-contact data for clients, subcontractors and partners, including names, professional contact and address details and, for some parties, financial information handled through procurement and file-exchange systems.
On February 25, 2026 LAPSUS$ listed Eiffage, claiming to have exfiltrated 175,942 records via the NextSend file-transfer platform and publishing 77 files; French reporting put the affected population at 50,336 internal employees and 125,606 external contacts. Eiffage is a listed EUR 25B-revenue group.
The breach exposes both Eiffage employees and a large external ecosystem of clients and subcontractors, creating GDPR notification obligations across France and the EU and reputational pressure amplified by LAPSUS$'s public shaming of a listed EUR 25B group. Exposure via a file-transfer platform highlights third-party and data-in-transit risk.
A consumer-service breach: contact and account data supports phishing, account takeover and profile enrichment. For a high-profile principal the main risk is credible impersonation and enrichment of existing exposure.
Motivation: Financial extortion, notoriety
An international extortion-focused group notorious for 2022 attacks on Microsoft, Nvidia, Samsung, Okta, Uber, Rockstar Games, T-Mobile and the Brazilian Ministry of Health. Does not use conventional ransomware; pure data theft and extortion.
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation