Second Data Breach for France’s Unemployment Agency in a Year May Also Be the Country’s Largest Ever

by | Mar 20, 2024

A massive data breach involving France’s national unemployment agency is thought to impact 43 million people, dating back through 20 years of records of those seeking employment assistance and benefits.

The data breach is not limited to the unemployment agency. The threat actor reportedly got in by first breaching an employee account for a program that assists people with disabilities in finding work; this apparently also furnished them with access to the unemployment records. The whole incident has raised questions about the level of access to personal data that such government employees have, and it looks as if it will be the largest on record for the country.

Two data breaches at same agency in a year, two record-setters in a month

France’s unemployment agency previously suffered a data breach in 2023 that exposed about 10 million records. That incident involved names and social security numbers, but not much else. The more recent incident appears to have additionally exposed nearly all of the contact information these job seekers had on file. The older incident also only exposed clients of the unemployment agency that registered prior to February 2022.

In this more recent incident, the unemployment agency was reportedly breached in early February but did not disclose anything to authorities until early March. An employee of Cap Emploi, the government agency that provides employment assistance to those with disabilities, gave up access to the network in some sort of social engineering attack. Natural questions have been raised about how this employee had access to so much data, and why information dating back 20 years was so readily available, but no good answers are available as of yet.

Given that the data breach window could have been open for a month, there are some serious potential consequences. If the attackers were able to exfiltrate 43 million records without raising alarms, it is entirely possible they moved even deeper into the network without detection and have laid out backdoors for themselves. At minimum, much of the population of France must now be on guard for phishing approaches and scams that leverage the broad range of contact information that was exposed.

French unemployment agency under GDPR investigation

The 43 million records involved in the data breach would make this a national record, only about a month after the previous record had been shattered by an attack on two payment providers that involved 33 million.

The lone bright spot is that the unemployment agency says that no banking details or login credentials were exposed. This also does not appear to have been a ransomware attack, as the online system had no downtime and the agency says it is safe to use (albeit with increased vigilance for phishing attempts.

The national police are investigating, as is data protection authority CNIL for any potential GDPR violations. CNIL was highly active in 2023, issuing more fines than any other EU nations short of Ireland and Luxembourg.

Recent Posts

How can we help?

14 + 6 =

× How can I help you?