France Travail: France fines unemployment agency €5 million over data breach

France’s Employment Agency Fined €5 Million After Massive Data Breach Affecting 43 Million

France’s data protection authority, the National Commission on Informatics and Liberty (CNIL), has imposed a €5 million fine on France Travail (formerly Pôle Emploi), the country’s national employment agency, for failing to secure the personal data of job seekers. The penalty follows a cyberattack in early 2024 that exposed the sensitive information of up to 43 million individuals one of the largest breaches in French history.

The stolen data, spanning 20 years of records, included names, dates of birth, national insurance numbers, email and home addresses, and phone numbers. While bank details and passwords remained unaffected, the breach raised significant privacy concerns, particularly as the agency manages extensive databases for unemployment benefits and job placement.

According to CNIL, the attackers used social engineering tactics to compromise the accounts of CAP EMPLOI advisers organizations that support people with disabilities in employment. By exploiting human vulnerabilities, the hackers gained unauthorized access to France Travail’s systems.

This incident marks the second major breach for the agency in less than a year. In August 2023, a separate attack exposed the personal data of 10 million individuals, including social security numbers.

CNIL has ordered France Travail to implement corrective security measures and submit a detailed compliance plan. Failure to do so will result in daily penalties of €5,000 until the agency addresses its vulnerabilities.

The fine adds to CNIL’s recent enforcement actions, including a €325 million penalty against Google for cookie violations and a €150 million fine on Shein’s Irish subsidiary for GDPR breaches. Most recently, the authority fined Free Mobile and its parent company €42 million over an October 2024 data breach.

Source: https://www.bleepingcomputer.com/news/security/france-fines-unemployment-agency-5-million-over-data-breach/

France Travail cybersecurity rating report: https://www.rankiteo.com/company/france-travail

"id": "FRA1769697920",
"linkid": "france-travail",
"type": "Breach",
"date": "1/2024",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '43,000,000 individuals',
                        'industry': 'Employment Services',
                        'location': 'France',
                        'name': 'France Travail (formerly Pôle Emploi)',
                        'size': 'Large (national agency)',
                        'type': 'Government Agency'}],
 'attack_vector': 'Social Engineering',
 'data_breach': {'number_of_records_exposed': '43,000,000',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PII, employment records)',
                 'type_of_data_compromised': ['Names',
                                              'Dates of birth',
                                              'National insurance numbers',
                                              'Email addresses',
                                              'Home addresses',
                                              'Phone numbers']},
 'date_detected': '2024-01-01',
 'description': 'France’s data protection authority, the National Commission '
                'on Informatics and Liberty (CNIL), has imposed a €5 million '
                'fine on France Travail (formerly Pôle Emploi), the country’s '
                'national employment agency, for failing to secure the '
                'personal data of job seekers. The penalty follows a '
                'cyberattack in early 2024 that exposed the sensitive '
                'information of up to 43 million individuals, one of the '
                'largest breaches in French history.',
 'impact': {'brand_reputation_impact': 'Significant',
            'data_compromised': '43 million records',
            'financial_loss': '€5,000,000 (fine)',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Potential daily penalties of €5,000 for '
                                 'non-compliance',
            'operational_impact': 'Regulatory scrutiny, compliance '
                                  'requirements',
            'payment_information_risk': 'None (bank details unaffected)',
            'systems_affected': 'France Travail’s employment and benefits '
                                'databases'},
 'initial_access_broker': {'entry_point': 'Compromised CAP EMPLOI adviser '
                                          'accounts'},
 'investigation_status': 'Ongoing (CNIL enforcement)',
 'post_incident_analysis': {'corrective_actions': 'Security improvements '
                                                  'mandated by CNIL',
                            'root_causes': 'Inadequate security measures, '
                                           'social engineering vulnerability'},
 'recommendations': 'Implement corrective security measures and submit a '
                    'compliance plan to CNIL',
 'references': [{'source': 'CNIL'}],
 'regulatory_compliance': {'fines_imposed': '€5,000,000',
                           'regulations_violated': ['GDPR'],
                           'regulatory_notifications': 'CNIL enforcement '
                                                       'action'},
 'response': {'remediation_measures': 'Corrective security measures ordered by '
                                      'CNIL'},
 'title': 'France’s Employment Agency Fined €5 Million After Massive Data '
          'Breach Affecting 43 Million',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Human vulnerabilities (compromised adviser '
                            'accounts)'}