Brinztech Alert: Database of Urssaf (Pajemploi) is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of a database attributed to Urssaf (Union de Recouvrement des Cotisations de Sécurité Sociale et d’Allocations Familiales). The seller claims the dataset comprises 1.2 million rows of data.

Brinztech Analysis: This dark web listing is almost certainly the data exfiltrated during the confirmed cybersecurity incident at Pajemploi, a specific service managed by Urssaf for home-based childcare and employment.

• Correlation: The “1.2 million rows” claimed by the attacker matches exactly with the “1.2 million individuals” Urssaf confirmed were affected in their public statement around November 17-19, 2025.
• Data Content: While Urssaf stated that bank account numbers (IBANs) and passwords were not compromised, the confirmed leaked data includes highly sensitive PII: Full Names, Dates/Places of Birth, Social Security Numbers (NIR), and Bank Names.
• Timeline: The breach reportedly occurred around November 14, 2025. Urssaf initially denied the incident before confirming it days later, a common pattern that often spurs threat actors to list data publicly to prove their claims.

The sale is being conducted via Telegram and Session (a private messenger), standard TTPs for data brokers looking to monetize a “hot” dataset quickly before the value drops.

Key Cybersecurity Insights

This data breach presents a critical and immediate threat to French citizens:

• High-Value PII Exposure (NIR): The leak includes the French National Identification Number (NIR/Social Security Number). Unlike a password, this cannot be changed. Combined with names and birth details, it is a “master key” for administrative identity theft in France.
• Targeted Demographic (Employers & Caregivers): Pajemploi users are private employers (parents) and their employees (childminders). This specific relationship data could be weaponized for highly targeted spear-phishing (e.g., fake tax notifications or salary adjustments).
• Reputational & Regulatory Fallout: Urssaf’s initial denial followed by a confirmation damages public trust. The agency is now under scrutiny from the CNIL (French Data Protection Authority) and ANSSI (National Cybersecurity Agency).
• Financial Motivation: The immediate listing on a hacker forum confirms the attack was financially motivated. If a ransom was demanded and not paid (Urssaf has not confirmed a ransom), selling the data is the attacker’s secondary monetization strategy.

Mitigation Strategies

In response to this confirmed breach, affected individuals and organizations must take action:

• Vigilance Against “Official” Phishing: Users should be extremely skeptical of any emails or SMS purporting to be from Urssaf, Pajemploi, or the tax office (DGFiP), especially those demanding payment or verifying banking details.
• Monitor Bank Accounts: While full IBANs were reportedly not leaked, the name of the user’s bank was. Attackers may use this to craft bank-specific phishing lures.
• Regulatory Compliance: Urssaf has already notified the CNIL. Organizations using Urssaf data flows should review their own interconnectivity and ensure no “lateral movement” is possible from the compromised Pajemploi environment.
• Individual Notification: Urssaf is individually notifying affected users. If you receive a notification, follow the specific guidance provided, which typically involves monitoring your social security and tax accounts for anomalous activity.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com