.svg)
In summary: INSEE experienced a leak of its internal directory, affecting 12,800 current and former employees, with no banking or sensitive data exposed. The danger for a company is not the leak itself, but what attackers can do with a verified professional contact list.
What Happened
On June 26, 2026, INSEE announced that it had been the target of a cyberattack aimed at its internal directory, known as Trombi. The incident was detected on June 19. It exposed the identities and work contact information of approximately 12,800 current and former employees and members of its staff, according to reports by Usine Digitale and Le Monde Informatique.
The institute states that no banking information or sensitive data was compromised. The data breach involves names, job titles, assignments, and work contacts. As required by the GDPR, INSEE has notified the CNIL and filed a complaint with the public prosecutor.
Does this apply to me?
You may not be INSEE, but the following mechanism affects you directly. A stolen business directory provides attackers with high-quality raw material: exact names, real job titles, and valid addresses. With this information, they craft credible messages addressed to the right person, in the name of a colleague or business partner who actually exists.
The risk shifts to you as soon as one of your employees, suppliers, or customers is included in a database of this kind. A fake email “from” a known contact, a request for an urgent wire transfer, a malicious attachment—it all becomes harder to spot when the sender appears legitimate. Contact information alone is enough. No password is needed to launch a spear-phishing attack.
What to Do Now
1. Remind employees of the double-check rule. Any request for a wire transfer, an IBAN change, or access received via email or text message must be verified through a second, pre-approved channel—such as a call to a previously registered number. This simple precaution prevents the majority of fraud attempts, even the most sophisticated ones.
2. Strengthen authentication on Microsoft 365. Enable MFA everywhere and monitor rules for automatic mailbox forwarding, which attackers often set up after an initial compromise. A protected account significantly limits the damage caused by a single malicious email that slips through.
3. Alert your teams with a concrete example. A short note is better than a training session that gets forgotten. Show them what a well-crafted phishing email looks like, and designate someone to whom they can report any concerns without fear of bothering them.
For more information on this type of targeted attack, see our feature on spear-phishing in the workplace.
Not sure about your exposure?
Get an update from an IT Systems expert
A quick assessment of your exposure and the steps you should take. No obligation.
In a nutshell
The leak of the INSEE directory isn't aimed at you, but it fuels attacks that can target any company. The right response isn't to panic; it's to secure bank transfers with a double-check process and tighten access to email accounts. With these two measures in place, stolen contact information will have no effect.
Frequently asked questions
Is my data included in this data breach? Only if you work or have worked for INSEE. However, any company may receive fraudulent emails created using this contact information.
Should you change your passwords? This data breach does not contain any passwords. The best practice remains using two-factor authentication and being vigilant about unusual emails.
— Samir Amara, CEO — IT Systèmes
.svg)