1,250 Cyberattacks Per Day in France – and the Question Every Small Practice Must Ask
Cybercrime is not a future threat. It is happening now – every day, at industrial scale, requiring ever less technical expertise. This is not scaremongering: these are figures published by the commander of the French National Gendarmerie’s cyber unit.
An industrialisation we can no longer ignore
General Hervé Petry, commander of UNCyber – the French Gendarmerie’s National Cyber Unit – published a striking figure in 2025: cyberattacks in France rose by 87% over five years. In 2025 alone, 453,200 digital incidents were recorded – close to 1,250 cases every single day.
“We are facing a massification of attacks that can, in some respects, make your head spin. Cybercrime is industrialising: logisticians and IT workers operate together, and tools available on the market are being deployed at scale, without necessarily requiring significant technical skills.” – General Hervé Petry, UNCyber
That last point deserves attention. The world of cyberattacks is no longer the world of lone geniuses. Today, a malicious actor can launch an effective attack without advanced technical training – the necessary tools are available to anyone. This means the assumption “we’re small, no one will target us” is now fundamentally wrong.
It’s not only the large organisations that are targeted
A common misconception persists: the targets of cyberattacks are large corporations, banks, and government institutions. The small law firm, the medical practice, the accountant – they are “not interesting”.
This view is increasingly dangerous. Precisely because attacks have been industrialised: hackers no longer search for a specific target – they automatically scan networks and strike wherever a door has been left open. Size does not protect. Vulnerability is what determines exposure.
To use a burglary analogy: the thief does not necessarily choose the largest house, but the one whose window was left ajar.
Numbers that make your head spin
To grasp the true scale of the problem, it is enough to follow the French incidents of recent months – one after another, without commentary.
At the end of 2025, a healthcare software database was breached: data belonging to 15 million French patients – including identifiable personal information of HIV patients – fell into unauthorised hands. Experts described the incident as “very serious”: for some patients, public identification may have irreversible consequences. The breach occurred in late 2025 but was only revealed in February – and passed largely unnoticed, as the public had grown numb from one scandal following the next.
Shortly after: the personal data of 774,000 students and former students were exfiltrated from a student housing platform. Then France Travail announced that 1.6 million young people supported by local employment agencies had their names, addresses and social security numbers stolen. At the end of March, nearly 1.5 million victims were identified following an attack on the secretariat-general of Catholic education. Incidents follow one another at a dizzying pace.
“The number of breaches affecting more than one million people has doubled in one year, rising from around twenty to around forty successful attacks.” – CNIL, 2024 Annual Report
This figure does not come from a security company’s marketing material, but from the official report of the French data protection authority. The CNIL itself states it plainly: large-scale attacks have become systematic.
The physical dimension that rarely gets mentioned
We tend to picture cyberattacks as a purely digital phenomenon: someone on another continent, clicking in a dark room, and data leaks out. The reality is more nuanced – and physically closer to home.
Christophe Renard, a security expert who has conducted over 2,000 security audits, describes the typical scenario: the fake intern who enters the premises, obtains a badge, gains access to the server room, and places a USB key on a workstation. Antony Bergès, head of the Inop’s cybersecurity group, confirms it: unauthorised physical intrusion is often the starting point of a digital attack.
“Every employee must develop sound digital hygiene: secure passwords, immediate deletion of suspicious emails – and above all: never enter confidential company data into a chatbot.” – Antony Bergès, Inop’s
This warning is not directed only at employees of large corporations. A member of staff in a small practice is just as much a potential target – and is often less well prepared.
Where the data lives is the key question
When a professional software tool – whether a document management system, a practice management platform, or a patient records application – is cloud-based, the data lives on a shared server. This is convenient: accessible from anywhere, automatically backed up, requiring no maintenance on the user’s part.
But there is a structural consequence: if that server is attacked, all the data stored on it is compromised at once. Not just one practice’s data – but that of everyone using the same platform.
Local storage, by contrast, presents a different risk profile. If data resides exclusively on a local machine, the potential impact of an attack is physically contained. The risk is not zero – but its structure is different.
The question is not which solution is “safe” and which is “dangerous”. The question is: what risk are we accepting in our specific situation – and are we doing so consciously?
The state is doing its part – but it is not enough
General Petry announced that UNCyber operates with 26 regional branches and 10,500 trained gendarmerie cyber officers, and will triple its specialist headcount by 2028 – reaching 1,000 experts at the “upper end of the spectrum”. The number of undercover investigators will rise from 1,300 to 2,000, and 300 cryptocurrency specialists will complete the unit.
This is a significant effort. But General Petry himself put it plainly:
“This shift will only be effective if the entire ecosystem mobilises.” – General Hervé Petry
We are all part of that ecosystem: small practices, independent professionals, sole traders. The state is developing its infrastructure – but the data sits on our machines, in our systems.
The question of responsibility
Perrine Sailly, who leads the association “Victimes mais pas démunies”, raises an important point: companies and institutions that are attacked typically present themselves as victims. But from another angle: those who do not do everything necessary to protect personal data bear responsibility for its exposure.
The GDPR applies in France and holds the data controller responsible for the protection of personal data. This is not merely an internal matter for the organisation concerned: in a medical practice, it is patient data at stake; in a law firm, it is client data. The responsibility does not rest with the state or the software provider – it rests with us.
What can we do?
You do not need to be an IT specialist to make informed decisions about protecting your data. Here are a few fundamental questions worth asking:
• Where is my professional data stored – locally or on a cloud server?
• Who has access to that server, and under what conditions?
• What happens to my data if my provider is attacked?
• Is there a backup that is not stored on the same server?
• Can my colleagues recognise suspicious emails and social engineering attempts?
These are not technical questions. They are strategic decisions that concern every independent professional and every small practice.
It is also worth highlighting a technical point: in a correctly configured local RAG system, the original documents (docx, pdf…) can be deleted after processing. What remains on the machine is what is known as a vector index – a set of mathematical representations from which no readable, directly usable data can be recovered. Only the language model installed locally is able to work meaningfully with this index. This does not make the system invulnerable – no such guarantee exists – but it represents a structurally different, and therefore different-level, protection profile compared to a readable database stored on a cloud server.
About ArkeoAI
ArkeoAI provides fully offline, on-premise artificial intelligence solutions for small professional practices – law firms, medical practices, accounting offices. Your data never leaves your premises. No cloud, no shared server, no third party – just your documents and a local AI system that helps you work with them.
Source: Le Figaro, 7 April 2026 – General Hervé Petry, commander of UNCyber, French National Gendarmerie; Christophe Renard and Antony Bergès, Inop’s; Perrine Sailly, Victimes mais pas démunies. The ArkeoAI blog publishes content for informational purposes only; it does not constitute legal or security advice.
