29.01.2026
2 min
351
France’s Public Employment Agency France Travail was ordered to pay a fine of €5 Million as a result of the biggest data breach in French history. In the breach, the private details of nearly 37 million individuals who had registered as job seekers for the last 20 years were stolen from France Travail’s databases.
The attack on France Travail took place in March 2024 and was conducted through social engineering rather than a technical vulnerability. The hackers used phishing emails to convince IT support staff at France Travail to reset all of the passwords for accounts in a department called Cap Emploi which is an organization that helps disabled individuals find jobs.
Following the resetting of the passwords, the hackers called the real Cap Emploi staff member and pretended to be the IT helpdesk. They succeeded in getting the new password which allowed them to gain unauthorized access to the internal computer systems of France Travail.
Approximately 25 GB of data was taken from the system of France Travail including Social Security Numbers, e-mail addresses, mailing addresses, and telephone numbers of nearly 37 million individuals. Authorities have stated that no full files with sensitive health-related data were compromised in the breach. According to France’s data protection agency, the CNIL, France Travail breached Article 32 of the General Data Protection Regulation (GDPR) by not implementing sufficient technical and organizational safeguards to protect against unauthorized or accidental access to and processing of data.
During the course of the investigation into the breach it was discovered:
only eight–character passwords were permitted;
Multi-Factor Authentication (MFA) was not employed;
Accounts could only be locked after 50 consecutive unsuccessful login attempts.
The agency has been given one month to put in place the necessary corrections and if it fails to do so, it will be subject to a €5,000 per day penalty.
This latest breach demonstrates once again the vulnerabilities of even the largest public organizations when they fail to follow the most basic cyber-security principles. As has been demonstrated repeatedly, social engineering techniques are extremely effective, and when combined with inadequate authentication protocols and the lack of Multi-Factor Authentication (MFA), attacks can be launched at a national level.
