Overview
- The decision follows the March 2024 exfiltration of personal data affecting about 36.8 million people after deduplication from an initial estimate of roughly 43 million.
- Attackers used social engineering to impersonate Cap Emploi advisers and the IT help desk, exploiting password resets to hijack partner accounts and query France Travail databases.
- Cnil cited weak security practices, noting in its deliberation that up to 50 password attempts were allowed before account lockout, which increased the risk of compromise.
- Exposed fields included names, birth details, social‑security numbers, addresses, phone numbers, email addresses, and jobseeker status, while passwords and bank data were not accessed.
- France Travail said it will not appeal, described the sanction as severe, and reported it has deployed measures such as multi‑factor authentication, enhanced monitoring, and partner awareness, as required alongside access restrictions and a €5,000‑per‑day astreinte for delays after the one‑month deadline from January 22.