Table of Contents
Can you imagine the scale of a cyberattack that could affect thousands of people, from employees to business partners, and clients of a major company? This is exactly what Eiffage, the construction giant, recently experienced when targeted by the hacker group LAPSUS$. Discover how this attack was orchestrated and what its consequences are for the victims.
The 3 key facts not to miss
On February 25, 2026, the LAPSUS$ group claimed an attack against Eiffage, a well-known name in the construction and public works sector. The collective claimed to have exfiltrated a database containing precisely 175,942 records. This information came from NextSend, an internal file transfer platform widely used by Eiffage for its communications.
NextSend, developed by the French company Hegyd, allows the sending of large files between collaborators and partners. This attack therefore affected not only Eiffage employees but also a large number of its external partners.
Among the 175,942 individuals affected, 50,336 are directly employed by Eiffage, while 125,606 are external contacts, including clients, subcontractors, and partners. This sensitive information exposes the victims to potential phishing attacks. Hackers could use this data to create very convincing fraudulent messages specifically targeting these individuals.
In response to these threats, Eiffage has set up a warning page on its website, alerting users to the risks associated with fake invoice scams and identity theft, particularly through the use of SIRET and VAT numbers extracted from the compromised data.
LAPSUS$ is not new to making headlines against French companies. In January 2026, the group had already made waves by hacking ENI, exposing the information of thousands of professional clients. This strategy of targeting publicly traded companies is part of their logic of maximum pressure, fueling what they call their “wall of shame,” a public list of the victims of their attacks.
Eiffage, a major player in the construction sector, achieves a turnover of 25 billion euros, as confirmed in its annual results published on February 24, 2026. This publicly traded company is not the only one to have been targeted by cyberattacks of this magnitude. Competitors like Bouygues and Vinci have also faced similar threats, highlighting the need for companies to strengthen their security measures to protect the sensitive data of their clients and partners.