-
A threat actor is advertising 3.9 terabytes of alleged surveillance footage from a French E.Leclerc supermarket on a dark net forum.
-
The footage reportedly dates back to 2019, putting the company in direct conflict with French and EU data protection law.
-
E.Leclerc has not issued any public statement, and France’s data protection authority holds the power to impose fines running into the millions of euros.
A threat actor just put 3.9 terabytes of alleged CCTV footage from a French supermarket up for sale on a dark web forum. The seller claims the archive belongs to an E.Leclerc location in Conflans-Sainte-Honorine, France, and says the recordings stretch all the way back to 2019.
The seller demands Bitcoin as payment and has attached a proof video to the listing to attract buyers. No independent source has confirmed whether the footage is genuine or whether other E.Leclerc locations face the same exposure.
Dark Web Actor Lists French Supermarket Footage for Bitcoin
The listing drew immediate attention from the cybersecurity community. What the alleged archive contains matters just as much as its size. Surveillance footage from a large retail chain captures customer movement patterns, payment area activity, staff schedules, logistics corridors, parking lots, and security response procedures. In the wrong hands, that material becomes a physical reconnaissance toolkit, useful for criminal planning, employee targeting, and retail security mapping.
One French cybersecurity observer framed the bigger risk clearly. According to the commenter, the real danger with modern CCTV systems now goes well beyond the footage itself.
These systems connect to access controls, AI analytics platforms, license plate readers, and in some cases, facial recognition tools. A leak no longer means just a compromised camera. It opens a potential doorway into all of those systems at once.
That framing redraws the threat entirely. This is not a breach of a password database. It is a breach of a living security infrastructure.
Footage Dating to 2019 Puts E.Leclerc in Legal Crosshairs
The retention timeline is where this story turns into a serious legal problem. French law and the EU’s General Data Protection Regulation both require organisations to delete surveillance recordings within weeks, not years. If the footage truly dates to 2019, E.Leclerc would be sitting on a six-year retention window that violates both frameworks outright.
The incident follows another French data breach. Réseau.site, a French IT firm, also suffered a breach with user records published online, adding to the scrutiny of French data protection practices.
French commenters online reacted with a mix of disbelief and frustration. One user said they could not understand how recordings from 2019 still existed when the law requires organisations to destroy them within a matter of weeks.
Another stated plainly that keeping surveillance footage for that length of time is completely unlawful in France. A third noted that a seven-year archive would likely create serious legal consequences for the company.
Standard network video recorder systems typically overwrite footage every three to six months. If this archive genuinely spans years, it points to something well outside normal operations, whether compromised backup storage, exposed archival servers, improperly decommissioned infrastructure, or sustained unauthorised access over a long period. None of those possibilities offers any comfort.
One commenter captured the broader frustration sharply, asking how any company could store that volume of data for that long and still fail to secure it.
France Reacts as E.Leclerc Stays Silent
E.Leclerc has not issued any public statement. The CNIL, France’s national data protection authority, holds the power to investigate both the breach and the retention violation as separate offences. GDPR fines can run into the millions of euros, and a case combining an apparent breach with unlawful long-term retention would likely draw serious regulatory scrutiny.
The political dimension also surfaced in the online reaction. One verified French commenter directed anger squarely at citizens who supported the surveillance expansion laws, arguing they now live with the direct consequences of that choice. Others mixed sharp technical criticism with wider frustration at the institutions that approved and enabled those systems in the first place.
Whether this listing is authentic or a bluff, the questions it raises do not go away. Retailers across Europe store enormous volumes of surveillance data. How they protect it, how long they keep it, and how they eventually dispose of it remain questions the industry has not answered convincingly. This incident just pushed all of them back into the spotlight.
