If you’ve lived in France and looked for a job since the early 2000s, there’s a high probability your personal details were part of the data breach.
When you are the primary government agency responsible for helping millions of people find work, you aren’t just a bureaucracy. You are a treasure chest. And as France Travail recently learned, if you leave the lid unlocked for two decades, someone is eventually going to reach inside.
Last week, the French data protection authority (CNIL) handed down a $6 million fine to the agency, following a security breach that exposed the data of nearly everyone who had registered with the organization over the last 20 years.
In early 2024, hackers used classic social engineering to infiltrate France Travail. By tricking staff at organizations responsible for supporting job seekers with disabilities, the attackers successfully hijacked their accounts.
Once inside, the hackers found they had far more power than they should have. The CNIL’s investigation revealed that France Travail had violated the “principle of least privilege,” meaning users had access to way more data than was actually necessary for their jobs.
Perhaps the most disturbing detail of the breach is the timeline. The hackers didn’t just get current records; they accessed the data of everyone who had interacted with the agency for the past two decades.
While sensitive health data remained untouched, the haul was still a fraudster’s dream: national insurance numbers, email and postal addresses, and telephone numbers.
Why did it take so long to notice? The CNIL pointed to several “essential security principles” that were ignored. For one, the barriers to entry were too low for such sensitive systems. Furthermore, there weren’t enough checks on system logs to detect “abnormal behaviour.” When the hackers started vacuuming up 20 years of history, the alarms didn’t go off because, essentially, there were no alarms installed.
The $6 million fine is basically an “I told you so” from the French government to its own agency. CNIL justified the heavy penalty based on the massive number of people affected and the ignorance of basic security protocols. For its part, France Travail says it recognizes the seriousness of the events but expressed regret over the severity of the fine, citing its commitment to cybersecurity after the disaster occurred.
In the world of data privacy, the answer to “What could possibly go wrong?” is usually: everything you didn’t bother to monitor.
Written by Clement Saudu
| PIVX: Your Rights. Your Privacy. Your Choice | |
| PIVX.org | Discord | Telegram | X | Github |
| MEXC | Binance | Poloniex | XT.com | WhiteBIT | LBank | Coinstore | Biconomy | And more! |
