France’s homegrown government messaging service has fallen victim to a significant cyber attack, exposing the challenges facing nations trying to reduce their dependence on foreign tech platforms. The breach of Tchap, an encrypted messaging app used exclusively by French public servants, highlights the security risks that come with building domestic alternatives to popular services like WhatsApp or Slack.
The French National Cybersecurity Agency (ANSSI) discovered the compromise of Tchap on June 7, immediately triggering an investigation by the French Digital Affairs Directorate (DINUM), which developed and manages the platform. Officials quickly identified and blocked the compromised account, though they’re still determining the full scope of data that may have been stolen.
According to Engadget, a threat actor has claimed responsibility for the attack and shared some of the allegedly stolen files. The hacker claims to have accessed nearly 14GB of documents and files shared by government workers using Tchap, including:
- Hardcoded LDAP credentials
- Documents shared in public chatrooms
- Email addresses and meeting links
- General organizational data
The breach is particularly concerning given Tchap’s role in France’s broader strategy to achieve digital sovereignty. Built on the open-source Matrix protocol, the service launched in 2019 as a secure communication platform designed specifically for the French public sector. It features end-to-end encryption for private conversations, though officials reminded users that content in public chatrooms is not encrypted.
This security incident comes at a crucial time for France’s push toward technological independence. The country has been aggressively moving away from foreign software solutions across government operations. This year alone, France replaced Windows with Linux on government workstations, and plans call for a homegrown alternative to replace Zoom and Microsoft Teams by next year.
The timing also raises questions about the European Union’s similar digital independence efforts. The EU, with France as a founding member, is reportedly planning to ditch Google as its default internal search engine in favor of Quaint, a search tool developed in France. These moves reflect growing concerns about data sovereignty and the security risks of relying on foreign technology platforms for sensitive government communications.
While French officials haven’t disclosed the source of the breach, the incident demonstrates that building secure domestic alternatives to established tech platforms comes with significant challenges. Government agencies worldwide are watching how France handles this breach, as many countries are considering similar moves away from US-based tech giants for their internal communications and operations.