Security Incident

A security incident involving personal data related to the Digital Vaccination Record was brought to our attention on June 15, 2026. Ongoing investigations indicate that an unauthorized third party accessed certain personal data processed by the platform and obtained a copy of it. The information currently available is set out below.

Frequently Asked Questions

What data may be affected?

At this stage of the investigation, the categories of data potentially affected are as follows:

  • identification and contact information (email address and phone number). Passwords, which are stored in encrypted form, are not affected by this incident. As a general precaution, you may nevertheless change your password;
  • civil status data, residential address, and social security number when it has been provided;
  • vaccination data and health profile information, where such a profile has been completed. This data is stored in coded form. At this stage of the investigation, we have not identified any direct exposure of medical information in plain text;
  • no banking information is affected by this incident.

Who is affected?

We are not currently able to identify with certainty which individuals are affected. As a precautionary measure, we consider that all holders of a Digital Vaccination Record may potentially be affected by this incident.

What should I do?

We recommend that you remain particularly vigilant regarding unusual emails, text messages, or phone calls requesting personal, medical, or financial information.

If in doubt, do not disclose any sensitive information and always verify the identity of the person contacting you.

As a general precaution, you may also change your password.

Has the incident been reported to the CNIL?

Yes. In accordance with our regulatory obligations, the CNIL (French Data Protection Authority) was notified of this incident on June 15, 2026.

Has a complaint been filed?

Yes. A complaint has been filed with the competent authorities.

Do I need to file an individual complaint?

An individual complaint is not necessary unless you have suffered direct harm or become aware of an attempt to fraudulently use your data.

Are the services still available?

Yes. The Colibri software, the Digital Vaccination Record, and the Professional Digital Vaccination Record remain accessible and fully operational.

The security measures implemented following the incident have not resulted in any service interruption for users.

What are the risks associated with this incident?

Unauthorized access to personal data may, in some cases, lead to attempts by third parties to misuse that information. In particular, we encourage you to remain alert to the following situations:

  • phishing attempts via email, text message, or telephone;
  • unsolicited commercial communications;
  • in rarer cases, attempts at identity theft.

How can I reduce the risks?

Be cautious of unusual messages, especially those asking you to provide personal, medical, banking information, or copies of identity documents.

Do not click on suspicious links and never disclose sensitive information following an unsolicited message or phone call. If in doubt, contact the organization concerned directly using its official contact details.

For any questions or assistance, you may also consult the official platform cybermalveillance.gouv.fr

What are you doing concretely to protect us?

As soon as this event was discovered, we immediately implemented enhanced security measures to contain the incident and prevent any further unauthorized access.

The main actions already completed or currently underway are as follows:

  • disconnection of the affected environments and complete reconstruction of the production infrastructure;
  • comprehensive audit of the production system and verification of the integrity of all environments;
  • strengthening of authentication and authorization management mechanisms relating to source code repositories;
  • outsourcing and securing access to source code repositories;
  • enhanced isolation of the various processing operations and technical environments.

In addition, several complementary actions are being undertaken to further strengthen our security posture over the long term:

  • increased security audits and penetration testing carried out by specialized service providers;
  • review and strengthening of internal procedures governing access management, authorizations, and workstations.

The principles applicable to the protection of personal data are described in our legal notices and privacy policy.