Auchan suffers second major data breach in less than nine months, exposing customer information

French supermarket giant Auchan has confirmed another significant cyberattack, disclosing on August 21 that the personal data of several hundred thousand loyalty program customers was compromised. The breach marks the second major incident to hit the retailer in less than a year and underscores the intensifying cybersecurity threats facing France’s retail sector.

The attack targeted Auchan’s loyalty card systems, exposing names, email addresses, postal addresses, phone numbers, and loyalty card numbers. The company stressed that banking data, passwords, and PIN codes were not affected.

“The protection of our customers’ data is a top priority for us, and we are handling this incident with the utmost rigor,” Auchan said in a notification to customers. The company reported the incident to France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), and has begun informing affected customers directly.

The breach follows a November 2024 cyberattack that compromised the data of more than 500,000 customers with loyalty accounts. The recurrence of attacks has raised concerns about Auchan’s cybersecurity defenses, especially as the retailer continues to undergo restructuring after announcing nearly 2,400 job cuts late last year. Analysts suggest organizational changes may have left the company more vulnerable to external threats.

Auchan’s disclosure comes during a surge of high-profile cyberattacks across France in 2025. Earlier this month, Bouygues Telecom reported a massive breach affecting 6.4 million customers, while Orange Belgium confirmed unauthorized access to 850,000 accounts. Orange France also suffered service disruptions in July following a separate attack on its internal systems.

Government entities have also been targeted. France Travail, the national unemployment agency, reported a July breach impacting more than 340,000 users of its Kairos platform. In May, the Hauts-de-Seine department was forced to take its IT systems offline indefinitely after a large-scale attack.

According to France’s cybersecurity agency ANSSI, reported security events rose 15 percent in 2024, with more than 1,300 confirmed malicious attacks. Surveys show the retail industry remains one of the hardest hit, with four out of five French retailers reporting cyber incidents last year.

Threat groups such as Scattered Spider and ShinyHunters have been linked to multiple attacks against retail and telecom organizations in France, often relying on phishing and social engineering to steal credentials and gain access to sensitive systems.