France’s National Jobs Agency Hit With $5.4M Fine After Massive Data Breach Exposes 36.8 Million People

France’s national employment agency has been slapped with a roughly $5.4 million fine after a sweeping data breach exposed personal information tied to 36.8 million people, an incident French regulators say was made worse by weak security controls and slow detection.

The breach, discovered in early 2024 after weeks of malicious activity, involved an estimated 25 gigabytes of stolen data. That’s about 25,000 megabytes, enough to hold millions of records. The compromised information included Social Security-style ID numbers, contact details, employment status, and disability-related information that can be sensitive enough to resemble health data.

Regulator: The problem wasn’t getting hacked, it was being unprepared

France’s privacy watchdog, the CNIL, roughly the country’s counterpart to a mix of the FTC’s consumer protection role and U.S. privacy regulators, said it wasn’t punishing France Travail simply for being targeted. It fined the agency because its technical and organizational safeguards didn’t match the level of risk.

The CNIL’s message was blunt: cyberattacks happen, but systems should make intrusions harder, and, critically, should spot suspicious behavior fast. In this case, investigators say the attackers had time to move around, expand access, and siphon data before anyone shut it down.

What was exposed: ID numbers, contact info, employment status, and disability data

The scale is staggering. The affected population includes people currently registered with France Travail and those who were registered at any point over the last 20 years, plus users who created accounts on the agency’s website. For American readers, think of a government-run jobs and unemployment hub with records spanning two decades.

The exposed data included national identification numbers comparable in sensitivity to a Social Security number, along with email addresses, home addresses, and phone numbers. Combined, that’s prime fuel for identity theft and highly targeted phishing, messages that look official, reference real details, and pressure people into handing over more information or money.

The presence of disability-related information raises the stakes even further. Even if full case files weren’t accessed, disclosure of disability status or related support needs can carry real-world consequences, from privacy harms to potential discrimination.

How it happened: Social engineering and hijacked partner accounts

Investigators say the attackers didn’t need a flashy, Hollywood-style exploit. They used social engineering, manipulating people into giving up access, to compromise accounts belonging to counselors at Cap emploi, a partner network that helps people with disabilities find and keep jobs.

Those hijacked accounts became a legitimate-looking doorway into France Travail’s systems. The CNIL said the authentication protecting those access paths wasn’t strong enough, especially given the sprawling ecosystem of partner organizations and users connecting into the platform.

CNIL flags two core failures: weak authentication and thin logging

The regulator zeroed in on two issues: authentication that didn’t provide enough protection for certain users, and inadequate logging, digital records that help security teams spot abnormal behavior.

Logs are the sensors of a modern security operation. Without strong, usable logs, it’s harder to detect red flags like unusual login times, strange locations, or accounts pulling far more data than their role would normally require. The CNIL argued that weak monitoring helped turn what could have been a short-lived intrusion into a weeks-long data extraction.

France Travail says it has MFA and training, but oversight remains the question

France Travail said it has acknowledged the penalty and pointed to steps it says it has taken: tighter password policies, stricter permissions, reduced access scopes, and multi-factor authentication (MFA). The agency also said it is boosting monitoring for suspicious activity, including repeated failed logins.

It also emphasized the size of its operation, about 54,000 employees, and said it blocks nearly 10,000 malicious acts each year. The agency has argued that human error drives the bulk of cyber incidents, citing internal estimates that 90% are linked to mistakes, and it requires mandatory cybersecurity training every six months for system access.

But the regulator’s underlying point remains: complexity isn’t an excuse, it’s a warning sign. When outside partners have access, the organization at the center still has to set the rules, enforce them, and audit compliance. For the millions of people caught up in the breach, the immediate risk is practical and personal: more convincing scams, more identity fraud attempts, and a long tail of exposure that could surface months, or years, later.