France Slaps Unemployment Agency with €5M Data Breach Fine
▼ Summary
– France Travail, the national employment agency, was fined €5 million by the CNIL for inadequate data security that led to a major 2024 breach.
– The breach exposed the personal data of up to 43 million people, including names, national insurance numbers, and contact details spanning two decades.
– Hackers used social engineering to compromise the accounts of advisers who support people with disabilities, gaining system access.
– The CNIL ordered the agency to implement corrective security measures, with daily penalties of €5,000 for non-compliance.
– This is part of a pattern, as the same agency suffered a breach in 2023, and the CNIL has issued other large fines to companies like Google and Shein for data violations.
The French data protection regulator has imposed a significant €5 million fine on the national unemployment agency, France Travail, following a major cybersecurity incident. This penalty underscores the severe consequences for organizations that fail to adequately protect the vast amounts of personal data they hold. The breach, which came to light in early 2024, compromised the information of an estimated 43 million individuals, making it one of the most substantial data exposures in the country’s recent history.
France Travail, the public body responsible for unemployment benefits and job-seeker support, maintains extensive databases containing sensitive personal details. The investigation by the National Commission on Informatics and Liberty (CNIL) revealed that hackers infiltrated the agency’s systems using social engineering techniques. This method involved manipulating the trust of employees to gain unauthorized access, specifically by hijacking the accounts of advisers working with people who have disabilities.
The stolen data is profoundly sensitive, encompassing full names, dates of birth, social security numbers, email and physical addresses, and phone numbers. This information, collected over a span of two decades, provides a comprehensive profile of millions of citizens. While the agency confirmed that financial details and account passwords were not accessed, and that complete files potentially containing health data remained secure, the scale of the exposed personal identifiers presents a serious risk of identity theft and fraud.
In addition to the financial penalty, CNIL has issued a corrective order mandating that France Travail document and implement enhanced security measures. The agency must provide a detailed schedule for these improvements. Failure to comply will result in accumulating daily fines of €5,000 until the data protection authority is satisfied that the vulnerabilities have been properly addressed.
This incident is not an isolated one for the employment agency. In August of the previous year, it experienced another breach that affected around 10 million people, exposing their names and social security numbers. The repeated nature of these security failures highlights systemic issues in the organization’s data protection protocols.
The fine against France Travail is part of a broader, assertive enforcement trend by French and European regulators. CNIL has demonstrated a willingness to levy substantial penalties against both public and private entities for data protection shortcomings. In recent actions, it fined Google €325 million for cookie regulation violations and imposed a €150 million penalty on Shein’s Irish subsidiary for GDPR breaches. More recently, mobile operator Free Mobile and its parent company were fined €42 million following a data breach in October 2024. These consistent enforcement actions send a clear message about the non-negotiable requirement to safeguard citizen and consumer data in the digital age.
(Source: Bleeping Computer)
