Introduction
Tchap, the instant messaging platform developed by France's Interministerial Directorate for Digital Affairs (DINUM), was built on a credible premise: give French civil servants a sovereign communication channel, audited by national cybersecurity agency ANSSI, built on the open Matrix protocol with end-to-end encryption. By September 2025, it had been rolled out across the entire central government. Yet in early June 2026, an attacker exfiltrated the data of 73,467 accounts — roughly 9% of the user base — without ever touching the encryption.
A Secure Protocol Bypassed, Not Broken
The attacker didn't try to crack the cryptography. They used social engineering to compromise a legitimate user account, gaining authenticated access to the platform. Once inside, the breach unfolded through Tchap's public rooms — which, unlike private conversations, are not end-to-end encrypted. The result: nearly 650,000 messages, along with the names, email addresses, organizational affiliations, and metadata of 73,467 civil servants were exfiltrated, together with 13.5 GB of documents and files shared in those open spaces.
The incident also exposed a secondary vulnerability, independent of the initial attack: LDAP credentials found in plain text inside a PowerShell script shared in a public room. Those credentials — apparently posted by an IT administrator from a regional department — represented a directly exploitable entry point, requiring zero technical sophistication.
ANSSI detected the intrusion on June 7th. DINUM immediately blocked the compromised account and notified France's data protection authority (CNIL). Privately encrypted conversations remained inaccessible to the attacker. But the damage to public-space data was already done.
The Gap Between Secure Architecture and Real-World Deployment
Tchap illustrates a structural problem that security teams know well but that still gets sidelined in large-scale rollouts: a robust architecture does not guarantee secure usage. The designers had done their job correctly — an open and auditable protocol, strong encryption for private exchanges, infrastructure hosted on a sovereign cloud. But the platform was deployed across a highly heterogeneous population, without consistent security behaviors: inadequate awareness of phishing and social manipulation, poor secrets hygiene in shared scripts, sensitive data dropped into unencrypted public rooms due to a lack of clear distinction between the two types of spaces.
Mistaking product certification for deployment security is not a mistake made only by public sector organizations.
Three Levers the Tchap Incident Puts Back on the Table
For any organization deploying a collaborative messaging platform — sovereign, SaaS, or on-premise — the Tchap affair highlights three operational imperatives:
- Account and access security: a single compromised account was enough to open the breach. Robust multi-factor authentication and behavioral detection of anomalous logins are not optional.
- Rigorous secrets management: credentials in a script shared via a messaging room is a basic security failure. Secrets management policies must cover all internal channels, including collaborative tools.
- Classification of communication spaces: not every channel on a given platform offers the same confidentiality guarantees. Making users aware of this distinction — and restricting what can be shared in public rooms — is non-negotiable from day one of any deployment.
Technological sovereignty is a necessary condition, not a sufficient one. What happened with Tchap can happen to any organization that underestimates the human factor in front of an otherwise well-designed architecture.