CNIL Fines France Travail €5 Million After Social-Engineering Breach Exposed Job Seeker Data
France’s data protection authority CNIL fined public employment agency France Travail €5 million for failing to implement security measures appropriate to the risk (citing GDPR Article 32) after attackers accessed job-seeker data via social engineering. Investigators said the attackers compromised accounts used by staff at Cap emploi (a partner organization), and that existing safeguards did not sufficiently reduce the risk of unauthorized access through compromised accounts.
The intrusion enabled access to personal data associated with roughly 43 million people, including current registrants, former registrants going back about 20 years, and individuals with candidate profiles on francetravail.fr. Exposed data included social security/national insurance numbers, names and dates of birth, and contact details (email, postal address, phone); reporting noted the breach did not include bank details or account passwords and did not provide complete job-seeker files. CNIL ordered France Travail to provide evidence and a schedule of corrective actions, backed by a conditional €5,000/day penalty for non-compliance.
Related Entities
Organizations
Sources
Related Stories
Nexpublica France Fined for Inadequate Security After Data Breach
France’s data protection authority, CNIL, imposed a €1.7 million ($2 million) fine on the software company Nexpublica France following a data breach that exposed sensitive documents of third parties through a company portal. The breach, reported in November 2022, allowed users to access documents belonging to other individuals, prompting an investigation by CNIL, which found that Nexpublica’s data security program was insufficient and failed to meet basic security standards. The regulator cited several aggravating factors in determining the fine, including Nexpublica’s lack of awareness of fundamental security principles, the number of people affected, the sensitivity of the exposed data, and the company’s financial capacity. CNIL also noted that Nexpublica was aware of the security issues prior to the breach but did not take corrective action until after the incident, constituting a violation of the General Data Protection Regulation (GDPR).
2 months agoData Breach at French Social Security Agency Pajemploi Exposes 1.2 Million Individuals
Pajemploi, a French social security service under URSSAF that supports parents and home-based childcare providers, has suffered a significant data breach impacting approximately 1.2 million professional caregivers. The breach, detected on November 14, resulted in the theft of personal data including full names, places of birth, postal addresses, social security numbers, names of banking institutions, Pajemploi numbers, and accreditation numbers. However, sensitive information such as bank account numbers (IBANs), email addresses, phone numbers, and account passwords were not accessed. Pajemploi has assured that its operational services remain unaffected and has taken immediate steps to secure its systems, while also notifying the French Data Protection Authority (CNIL) and the National Agency for the Security of Information Systems (ANSSI). All affected individuals will be notified directly by Pajemploi, and the agency has advised heightened vigilance against potential fraudulent communications. The breach specifically targets employees of private employers using the Pajemploi service, raising concerns about the risk of identity theft and social engineering attacks. URSSAF has recommended that users remain alert for suspicious emails or SMS messages that could exploit the exposed data.
3 months ago
CNIL Fines Iliad Subsidiaries Free and Free Mobile for Security Failures Behind 2024 Data Breach
France’s data protection regulator **CNIL** issued a collective **€42 million** fine against Iliad Group subsidiaries **Free** and **Free Mobile** for **GDPR** violations tied to an October 2024 breach that exposed personal data for more than **24 million** individuals, including sensitive financial identifiers such as **IBANs**. CNIL cited the scale and sensitivity of the compromised data, as well as the companies’ profits, in setting penalties of **€27 million** for Free and **€15 million** for Free Mobile. Regulators said the intrusion was enabled by inadequate security controls, including a **weak VPN authentication process** and insufficient monitoring to detect anomalous activity. Reporting indicates the attacker accessed Free’s network via the corporate **VPN**, then reached Free Mobile’s subscriber management tool **MOBO**, which at the time allowed searches across both Free and Free Mobile customer datasets; exfiltration reportedly began in early October 2024 after initial access in late September. CNIL also faulted the companies for **insufficient breach communications** to impacted customers and for **improper data retention** (including retaining former subscribers’ data), while noting remediation steps have been initiated and further security improvements were ordered.
2 months ago