The French DPA has sanctioned France Travail, an unemployment agency, with a €5 million fine for compromising the personal data of more than 36.8 million people seeking work.
In March 2024, one or more hackers gained access to France Travail’s IT systems through social engineering techniques. That way, they were able to access accounts of Cap Emploi, a division that helps people with disabilities find jobs.
The attackers managed to find the necessary information to reset the password of a Cap Emploi account. They did this by posing as Cap Emploi employees to the system’s IT administrators’ helpdesk and requesting a password reset.
The attackers then contacted the Cap Emploi employee they had just impersonated, but this time posing as the helpdesk, and asked the employee for the new password. This allowed the attackers to log in.
Researchers have determined that the hackers exfiltrated data from people who had sought employment through the French unemployment agency over the past 20 years, or had posted their resumes on the agency’s website. The stolen data, totaling around 25GB, included the Social Security numbers, email addresses, postal addresses, and telephone numbers of approximately 37 million unemployed people.
The attackers didn’t manage to steal job seekers’ complete records, which included sensitive information like health data.
According to the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s privacy and data protection authority (DPA), the unemployment agency neglected to build in technical or organizational safeguards to ensure the security of the personal data it processes, which is an infringement of Article 32 of the General Data Protection Regulation (GDPR).
Specifically, the login method used by Cap Emploi employees to log into their accounts wasn’t robust enough. Passwords with only 8 characters were allowed, multi-factor authentication (MFA) wasn’t in place, and it took 50 login attempts before an account was blocked.
Considering the scale of the data breach, the sensitivity of the processed data, and the lack of knowledge of essential security principles, the CNIL has issued a €5 million fine. The unemployment agency is ordered to take corrective measures within a month. For every day the agency fails to do this, it will receive a penalty of €5,000.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked