CNIL Penalises France Travail for Failing to Protect 20 Years of Personal Data

In early 2024, France Travail, the national public institution responsible for employment services, suffered a significant data breach affecting personal information collected over the past 20 years. Hackers exploited weaknesses through social engineering, a technique that manipulates human trust to gain unauthorised access. In this case, the attackers compromised the accounts of CAP EMPLOI advisers, the professionals tasked with supporting and monitoring employment for people with disabilities.

Although the breach did not extend to full jobseeker files, which could have included sensitive health information, it exposed a large volume of personal data, including National Insurance numbers, contact details, and employment-related identifiers. This affected thousands of individuals registered on francetravail.fr.

Following an investigation, France’s data protection authority, CNIL, found that the technical and organisational measures implemented by France Travail were inadequate. Key weaknesses included insufficient authentication procedures, overly broad access permissions, and inadequate monitoring and logging to detect abnormal activity. Notably, although the organisation had identified many of these safeguards in its impact assessments before processing, they had not been implemented in practice.

The CNIL’s restricted committee highlighted the gravity of the breach, considering both the volume and sensitivity of the data involved, and imposed a €5 million fine. France Travail was also required to submit a detailed corrective plan with a clear implementation schedule. Failure to comply could result in further penalties of €5,000 per day.

The case illustrates that data security obligations under GDPR, specifically Article 32, which requires organisations to implement technical and organisational measures appropriate to the risk, apply equally to public and private entities. It also shows that failing to act on identified risks can result in significant regulatory and reputational consequences.

Key Lessons for Businesses

The France Travail breach provides clear guidance for companies on how to strengthen data protection and reduce the risk of similar incidents. Here are the key lessons learned:

1. Strengthen Authentication and Access Controls

Access to personal data should be limited to only those who genuinely need it for their role. France Travail’s breach was exacerbated by overly broad permissions for CAP EMPLOI advisers, allowing hackers to access far more data than necessary. Companies should implement robust login procedures, multi-factor authentication, and role-based access controls to reduce exposure.

2. Implement Active Monitoring and Logging

Security is not only about prevention; it also involves detection. The breach highlighted the absence of adequate logging and monitoring systems, which could have flagged suspicious activity earlier. Businesses should invest in systems that track access patterns and alert teams to anomalies, ensuring that potential attacks are identified and mitigated promptly.

3. Follow Through on Risk Assessments

Conducting impact assessments is a critical step, but the France Travail case shows that identifying risks without implementing the recommended measures is insufficient. Organisations must turn risk assessments into concrete actions, documenting the measures in place and verifying that they are actively enforced.

4. Maintain Clear Accountability and Governance

Designating responsibility for data protection and establishing governance frameworks is essential. France Travail’s failure underscores the importance of clear roles, oversight, and accountability for security practices. Establishing internal data protection committees or ethics boards can help ensure ongoing compliance and promote a culture of security awareness.

This incident is a reminder that data security is as much about people and processes as it is about technology.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.