French government employment service France Travail (formerly Pôle Emploi) announced this week that they have been hit by a cyberattack, potentially affecting the personal details of approximately 43 million workers. The attack also impacted Cap Emploi which provides access to, or return to employment, for job seekers with disabilities.

France Travail said the personal information concerning job seekers currently registered with the employment agency, people previously registered over the last 20 years as well as people having a candidate space on the job board www.francetravail.fr  are likely to be disclosed and exploited illegally.

The employment agency added that taking into account the technical investigations carried out, the personal data exposed are as follows: first and last name, social security number, date of birth, France Travail identifier, email and postal addresses and telephone numbers.  Passwords and banking details are not affected by this act of cyber malware, it added.

France Travail notified the Commission Nationale de l’Informatique et des Libertés (CNIL) and filed a complaint with the judicial authorities, in accordance with its obligations under the General Data Protection Regulation (GDPR). Cap Emploi also made a similar announcement stating that it has made the same notifications to the CNIL as well as the National Agency for Security Systems of information (ANSSI). It also filed a complaint to the judicial authorities. A preliminary investigation was opened by the Paris Public Prosecutor's Office and entrusted to the Cybercrime Brigade of the Paris Judicial Police Department.

The CNIL said in a statement, “On March 8, France Travail (formerly Pôle emploi) and Cap emploi informed the CNIL that they had been victims of an intrusion into their information systems. This attack would have potentially allowed the extraction of data from 43 million users. This number, to be confirmed, concerns people currently registered on the list of job seekers or who have been registered over the last 20 years, as well as people with a candidate space on francetravail.fr.”

“Given the scale of the violation, the president of the CNIL decided to very quickly carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the obligations of the General Data Protection Regulation (GDPR), the CNIL stated.

It added that according to the information that it currently has, the data leak does not concern passwords or bank details, however it is possible that the data which was the subject of the violation is coupled, by malware actors, to other information from previous data leaks.

CNIL also issued advice on those who could have been affected by the cyberattack.

This is not the first time that French employment services have been hit by a cyberattack, On 23 August 2023, the personal data of 10 million jobseekers at Pôle Emploi was compromised. The latest data breach sets a new record in France as it affects the largest number of individuals from a single cyberattack – 63% of the French population.