Data Breach at French Social Security Agency Pajemploi Exposes 1.2 Million Individuals
Pajemploi, a French social security service under URSSAF that supports parents and home-based childcare providers, has suffered a significant data breach impacting approximately 1.2 million professional caregivers. The breach, detected on November 14, resulted in the theft of personal data including full names, places of birth, postal addresses, social security numbers, names of banking institutions, Pajemploi numbers, and accreditation numbers. However, sensitive information such as bank account numbers (IBANs), email addresses, phone numbers, and account passwords were not accessed. Pajemploi has assured that its operational services remain unaffected and has taken immediate steps to secure its systems, while also notifying the French Data Protection Authority (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
All affected individuals will be notified directly by Pajemploi, and the agency has advised heightened vigilance against potential fraudulent communications. The breach specifically targets employees of private employers using the Pajemploi service, raising concerns about the risk of identity theft and social engineering attacks. URSSAF has recommended that users remain alert for suspicious emails or SMS messages that could exploit the exposed data.
Sources
Related Stories
CNIL Fines France Travail €5 Million After Social-Engineering Breach Exposed Job Seeker Data
France’s data protection authority **CNIL** fined public employment agency **France Travail** €5 million for failing to implement security measures appropriate to the risk (citing **GDPR Article 32**) after attackers accessed job-seeker data via **social engineering**. Investigators said the attackers compromised accounts used by staff at **Cap emploi** (a partner organization), and that existing safeguards did not sufficiently reduce the risk of unauthorized access through compromised accounts. The intrusion enabled access to personal data associated with roughly **43 million** people, including current registrants, former registrants going back about **20 years**, and individuals with candidate profiles on `francetravail.fr`. Exposed data included **social security/national insurance numbers**, names and dates of birth, and contact details (email, postal address, phone); reporting noted the breach did **not** include bank details or account passwords and did not provide complete job-seeker files. CNIL ordered France Travail to provide evidence and a schedule of corrective actions, backed by a conditional **€5,000/day** penalty for non-compliance.
1 months agoFrench Football Federation Data Breach via Compromised Account
The French Football Federation (FFF) suffered a significant cyberattack in which threat actors exploited a compromised user account to access the federation’s administrative management software. This breach resulted in the theft of sensitive personal data belonging to over two million registered amateur football players and club members, including names, dates and places of birth, nationalities, postal and email addresses, phone numbers, and football license numbers. Financial data and passwords were reportedly not affected. Upon discovering the breach on November 20, 2025, the FFF immediately deactivated the compromised account, reset all user passwords, and secured its systems. The FFF has filed a formal complaint with French authorities and notified both the National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL). Affected individuals whose email addresses were exposed are being contacted directly, and the federation has urged all members to be vigilant against potential phishing attempts and scams leveraging the stolen data. This incident highlights the growing cyber risks faced by sports organizations and underscores the need for robust cybersecurity measures to protect large volumes of personal information managed by such entities.
3 months ago
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
2 months ago