A massive data breach at a French employment agency is affecting over 43 million users – representing more than half of France’s total population.
A large-scale data breach has compromised the personal information of a staggering 43 million French workers, raising concerns about identity theft and fraud. The attack is believed to have impacted around two-thirds of France’s population. The unclaimed cyberattack targeted two French employment agencies France Travail and Cap Emploi.
On March 13, 2024, French employment agency France Travail, previously called Pole Emploi, announced becoming the victim of a data breach that exposed the personal data of their registered users. This includes names, social security numbers, dates of birth, email, postal addresses, phone numbers, and user IDs.
France Travail named another company Cap Emploi, a government employment service supporting people with disabilities, as the victim of this breach. France Travail confirmed that login credentials, passwords, and bank details are not at risk.
On March 8, the agency notified the Commission Nationale de l’Informatique et des Libertés (CNIL), the national data protection agency, and filed a police complaint after which a formal investigation was launched.
Initial probing by the Paris Public Prosecutor’s Office and the Cybercrime Brigade of the Paris Judicial Police Department revealed that a malicious actor gained unauthorized access to Cap Emploi’s systems on February 6, impersonating a Cap Emploi civil service officer. France Travail began noticing suspicious activity within its IT systems between 6 February and 5 March 2024.
According to CNIL, a cyberattack on France Travail (francetravail.fr) could have potentially exposed data of those currently registered on the job seekers list, those registered over the last 20 years, and those with a candidate space on the platform. The company will notify impacted users individually.
The French cybersecurity community has criticised France Travail’s security shortcomings, with some professionals surprised that the agency took around a month to notify authorities and 20 years of users’ data being accessible online.
While it is legally required to keep users’ data for a certain period, storing the oldest part in a secure backup repository is generally recommended. The CNIL has now initiated an investigation to assess the company’s compliance with data security measures with the EU’s General Data Protection Regulation (GDPR).
Interestingly, ethical hacker Olivier Laurelli (aka Bluetouff) attempted to publicly notify France Travail of security flaws in the agency’s new web application in February without receiving a response. The French government has warned of potential cyber threats, including phishing, scams, and identity theft, following the data breach.
CNIL is urging French workers to remain vigilant and be cautious of any suspicious communication. They recommend monitoring bank statements closely for unusual activity and considering placing a fraud alert on credit reports.
This massive data breach comes as a significant blow to France’s reputation for data security, highlighting the need for stricter regulations and improved cybersecurity practices within French companies, particularly those handling sensitive employee data.
Expert Comments
For insights into the data breach, we reached out to Nick Tausek, Lead Security Automation Architect at Swimlane who added, “The scale of this latest breach surpasses previous incidents, highlighting the ongoing challenges faced by governmental agencies entrusted with safeguarding the personal data of millions.”
“To mitigate against these threats, organizations need to adopt a proactive cybersecurity approach. Investing in security platforms that centralize investigation and detection through the use of automation will allow security teams to respond to threats in real time and gain visibility across the SOC,” Nick advised.