France fines employment agency €5 million over major data security failures

France’s data protection authority has fined France Travail, the country’s public employment agency, €5 million, or about $6 million, after a 2024 cyberattack exposed the personal data of tens of millions of registered job seekers due to inadequate security controls.

The penalty was announced Thursday by the Commission nationale de l’informatique et des libertés, which said attackers breached France Travail’s computer systems early last year through social engineering techniques that allowed them to take over internal accounts. Those accounts belonged to organizations responsible for supporting and monitoring the employment of people with disabilities, giving the attackers broad access to sensitive databases.

The breach exposed data belonging to individuals who had registered with France Travail over the past 20 years. While no health information was accessed, the compromised data included national insurance numbers, email addresses, postal addresses and telephone numbers. When the incident was first disclosed, France Travail estimated that up to 43 million people could be affected, later revising the figure to 36.8 million.

France Travail is the primary government body responsible for registering job seekers, administering unemployment benefits and supporting job placement nationwide. The regulator said the fine reflects the agency’s failure to comply with core security obligations under the European Union’s General Data Protection Regulation, as well as the scale of the breach and the sensitivity of the data involved.

Investigators identified multiple security shortcomings, including weak authentication procedures, insufficient logging and monitoring to detect abnormal activity, and overly broad access rights that exceeded operational needs. The authority said these deficiencies made it easier for attackers to gain and maintain access to internal systems.

In addition to the financial penalty, the regulator ordered France Travail to immediately implement appropriate technical and organizational measures to secure its systems. A deadline has been set for additional improvements, and failure to meet those requirements could result in further sanctions of €5,000 per day until full compliance is achieved.

In a statement, France Travail said it was fully aware of the seriousness of the incident and its responsibility to protect personal data. The agency said it does not contest the decision but expressed regret over the severity of the fine, citing steps taken since the breach to strengthen cybersecurity and protect users’ information.

The regulator noted that the amount of the fine also took into account France Travail’s status as a publicly funded body and the remedial actions implemented after the attack. Under GDPR rules, the maximum possible penalty for a public authority providing a service rather than generating revenue is generally capped at €10 million.