France Fines National Employment Agency €5m Over 2024 Data Breach

The French employment agency, France Travail, has received a €5m ($6m) fine for security failures that led to the compromise of an estimated 43 million jobseekers. In a public statement on January 29, 2026, France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), said it issued sanctions against France Travail following an investigation into the data breach.

In March 2024, France Travail announced that its IT systems and those of Cap Emploi, a government employment service that supports people with disabilities, were breached. The exposed personal data included names, social security numbers, dates of birth, user IDs, email and postal addresses, and phone numbers of France Travail and Cap Emploi users. However, the attackers did not gain access to any jobseekers’ complete France Travail files nor any healthcare data. The data breach could affect users who registered on Cap Emploi over the past 20 years, representing 43 million potential users’ data exposed.

The CNIL opened an investigation to determine whether sufficient data security measures were in place in compliance with the EU’s General Data Protection Regulation (GDPR). This investigation concluded on January 22, 2026. It found multiple security and organizational issues at France Travail, stating the agency “failed to secure the personal data of jobseekers.” Specifically, the CNIL identified inadequate technical and organizational measures, weak authentication for Cap Emploi advisors, poor logging and monitoring, and overly broad access permissions.

Following the incident, the Paris public prosecutor’s office announced that the French police arrested three individuals, all based in France and aged 21, 22 and 23 at the time, suspected to be behind the breach. A judicial investigation was opened regarding charges of “fraudulent access to and maintenance of an automated data processing system, extraction of such data, fraud and money laundering.”

The €5m penalty reflects the failure to comply with fundamental security principles, considering the number of individuals affected and the sensitivity of the data processed. The CNIL has also ordered France Travail to provide evidence of corrective measures implemented, accompanied by a strict timeline. Failing to meet these deadlines will result in a €5000 ($5980) daily fine. As a publicly funded administrative body, GDPR fines for France Travail are not tied to revenue but follow a set range, with a maximum penalty of €10m ($11.9m) for data security failures.

To read the complete article see: Infosecurity Magazine