FRENCH GOVT MESSAGING PLATFORM TCHAP BREACHED, 14GB STOLEN

France's effort to build a homegrown digital infrastructure hit a rough patch this month. The French National Cybersecurity Agency (ANSSI) discovered on June 7 that Tchap, the encrypted messaging app built for the French public sector, had been breached. A threat actor claimed responsibility and says they stole nearly 14GB of documents and files from users of the platform.

WHAT WAS STOLEN

The data includes email addresses, meeting links, and general organization data, according to the hacker's claims reported by Bleeping Computer. The attacker's account has since been identified and blocked, but the damage to France's digital sovereignty narrative is already done.

Tchap was launched in 2019 and is managed by the French Digital Affairs Directorate (DINUM). It was built on the Matrix protocol as a secure alternative to commercial messaging platforms for government communications. The app features end-to-end encryption on private conversations, but "the content of public chatrooms is not encrypted", making any data shared in those spaces directly readable by anyone with access.

This is a significant detail. France has spent years and considerable political capital trying to move away from foreign software, building domestic alternatives precisely because it wanted control over its sensitive government communications. The platform was supposed to be that control. Instead, a breach exposes the uncomfortable reality that even purpose-built sovereign tools carry risk.

THE TIMING COULD NOT BE WORSE

This year France ditched Windows in favor of Linux on government workstations, a flagship move in its tech sovereignty push. By next year, a homegrown alternative will replace Zoom and Microsoft Teams for French public sector collaboration. The EU, for its part, is reportedly planning to stop using Google as its default in-house search engine, with Quaint set to take over.

All of these moves are designed to reduce reliance on American tech giants and demonstrate that Europe can build its own digital infrastructure. But a breach at the core messaging layer undermines that pitch. If the secure government chat platform cannot stay secure, the broader argument for sovereign software weakens.

The attacker's claim of 14GB in stolen documents is substantial but not catastrophic in isolation. The real issue is what the data reveals about process and priority. Public chatrooms containing unencrypted meeting links and organizational data suggest that even within a supposedly secure environment, users were not operating under the assumption that every piece of information needed protection. That behavior is not unique to Tchap, but it is particularly damaging in a platform positioned as a secure alternative to the open internet.

France's tech sovereignty program remains ambitious and, in many respects, ahead of its European peers. The Linux migration is real. The homegrown collaboration tools are coming. But the Tchap breach shows that building domestic software is only half the battle. The other half is ensuring that the domestic software actually delivers on the security promises that justified its existence in the first place.