Executive Summary

Publication Date: December 22, 2025

On December 22, 2025, a significant cyberattack disrupted the operations of La Poste, France’s national postal service, and its banking subsidiary, La Banque Postale, during the critical Christmas rush. The incident, identified as a distributed denial of service (DDoS) attack, rendered online services inaccessible for more than eight hours, blocking and delaying package deliveries and online payments. While no customer data was compromised, the disruption affected millions of customers and employees at the height of the holiday season. This report provides a comprehensive analysis of the incident, its technical root cause, the scope of impact, and the response efforts undertaken by the affected organizations.

Incident Timeline

The cyberattack began in the early morning hours of Monday, December 22, 2025, when La Poste’s online services and La Banque Postale’s application became inaccessible. Throughout the day, postal workers and customers experienced significant delays and were unable to access essential services, including package tracking and online banking. By Monday evening, more than eight hours after the initial disruption, the incident remained unresolved. During this period, La Poste and La Banque Postale issued public statements confirming the attack and outlining alternative procedures, while Paris prosecutors initiated an official investigation into the matter.

Technical Root Cause

La Poste described the event as a “major network incident,” later confirmed to be a distributed denial of service (DDoS) attack. This attack overwhelmed the company’s network infrastructure, rendering its online services inaccessible. The technical disruption did not result in any breach of customer data, as explicitly stated by La Poste. The DDoS attack targeted both the postal service’s online platforms and the banking application of La Banque Postale, severely limiting digital operations and customer access.

Service Impact Analysis

The DDoS attack had a broad and immediate impact on La Poste’s digital services. Online package tracking, internal computer systems, and online payment processing were all rendered inoperable. As a result, package deliveries and online payments were blocked or delayed, and transactions requiring access to internal systems could not be completed. However, traditional mail services, including the mailing and delivery of letters and holiday greeting cards, continued without interruption. La Banque Postale customers were unable to use the application for payment approvals or other banking services, prompting the bank to redirect approvals to text messages as a temporary workaround.

Customer Impact

The disruption affected millions of customers during the busiest period of the year. Frustrated customers faced blocked or delayed package deliveries, inability to track shipments, and limited access to online banking services. Postal workers had to manage increased customer dissatisfaction and operational challenges. Despite the scale of the disruption, La Poste assured customers that their data remained secure and unaffected by the attack. La Banque Postale communicated actively via social networks, informing customers of the situation and providing alternative methods for payment approvals.

Response and Recovery

In response to the attack, La Poste and La Banque Postale mobilized technical and operational teams to restore services and mitigate the impact. The organizations issued timely public statements, confirmed the nature of the attack, and provided updates on recovery efforts. La Banque Postale implemented alternative payment approval methods via text messages to maintain some level of service continuity. Paris prosecutors launched an official investigation into the incident, reflecting the seriousness of the attack and its potential implications for national infrastructure. As of Monday evening, the incident remained unresolved, with ongoing efforts to restore full service.

Business Impact

The timing and scale of the attack had a significant business impact on La Poste and La Banque Postale. With 2.6 billion packages delivered annually and over 200,000 employees, the disruption affected a vast customer base and critical business operations. The incident occurred during the peak of the Christmas season, amplifying its effects on both customers and employees. Blocked and delayed package deliveries, interrupted online payments, and increased operational strain on postal workers contributed to a challenging business environment. The reputational impact was also considerable, given the high visibility of the disruption and its timing.

Lessons Learned

This incident highlights the vulnerability of essential public services to large-scale cyberattacks, particularly during periods of heightened demand. The rapid communication by La Poste and La Banque Postale, along with the implementation of alternative service methods, mitigated some customer frustration and maintained a degree of operational continuity. However, the event underscores the need for robust DDoS mitigation strategies, enhanced network resilience, and comprehensive incident response planning. The broader context of recent cyberattacks on French infrastructure suggests an ongoing threat landscape that requires continuous vigilance and investment in cybersecurity measures.

References

Associated Press via ClickOnDetroit, December 22, 2025. Official statements from La Poste and La Banque Postale (December 22, 2025). Incident coverage and analysis from French media and government sources.

About Rescana

Rescana is a leading provider of third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their supply chains and digital ecosystems. Our platform delivers actionable insights and continuous monitoring to help businesses strengthen their security posture and ensure operational resilience.

For further information or questions regarding this report, please contact us at ops@rescana.com.