Data breach: FRANCE TRAVAIL fined €5 million
29 January 2026
On 22 January 2026, the CNIL fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to ensure the security of job seekers' data.
Background information
In the first quarter of 2024, one or more hackers managed to hack into the FRANCE TRAVAIL information system. They used techniques known as "social engineering", which involve exploiting people's trust, ignorance or credulity. This method enabled them to hijack the accounts of CAP EMPLOI advisers, i.e. the organisations responsible for supporting, monitoring and upholding the employment of people with disabilities.
Investigations established that the hackers accessed the data of all individuals who were registered or who had been registered over the past 20 years, as well as individuals with a candidate account on francetravail.fr (including their National Insurance numbers, email and postal addresses, and telephone numbers). However, the hackers did not access the complete files of job seekers, which may include health data.
The CNIL's investigation revealed that the technical and organisational measures implemented to ensure the security of the personal data processed were inadequate.
As a result, the restricted committee – the CNIL body responsible for imposing sanctions – imposed a fine of €5 million on FRANCE TRAVAIL, considering the ignorance of essential security principles, the number of people affected, and the volume and sensitivity of the data processed.
In addition, the restricted committee ordered FRANCE TRAVAIL to justify the corrective measures taken, with a precise implementation schedule.
Failing this, the organisation will have to pay a penalty of €5,000 per day of delay.
Note:
France Travail is a national public administrative institution whose budget is determined by law and is mainly based on social security contributions (employers/employees). In this regard, the determined amount of the fine is not based on a turnover, but on a range with a maximum limit of €10 million for a data security breach (Article 32).
All fines imposed by the CNIL, whether they concern private or public actors, are collected by the Treasury and paid into the State budget.
Failure to ensure the security of personal data processed (Article 32 of the GDPR)
The restricted committee noted that FRANCE TRAVAIL had not implemented the technical and organisational measures that could have made the attack more difficult. As a reminder, the implementation of security measures appropriate to the risks is an obligation of means provided for in Article 32 of the GDPR.
In particular, it noted that the authentication procedures allowing CAP EMPLOI advisers to access the FRANCE TRAVAIL information system were not sufficiently robust.
In addition, the restricted committee highlighted the inadequacy of logging measures to detect abnormal behaviour on its information system.
Finally, the restricted committee noted that CAP EMPLOI advisers account access authorisations had been defined too broadly, allowing CAP EMPLOI advisers to access data on individuals they were not supporting, which increased the volume of data accessible to hackers.
In determining the sanction, the restricted committee took into account the fact that most of the appropriate security measures had been identified by FRANCE TRAVAIL, prior to the implementation of the processing, in the impact assessments, but had not actually been implemented.
The role of the CNIL regarding the complainants
The CNIL is the French personal data regulator. It responds to requests from individuals and professionals.
Anyone can lodge a complaint with the CNIL when they encounter difficulties in exercising their rights or to report a breach of personal data protection rules. The CNIL can carry out investigations on organisations and, in the event of breaches, it can decide to sanction them.
However, the CNIL does not have the authority to compensate individuals who lodged a complaint. The individuals concerned may file a complaint with the police.
