France’s Employment Agency has suffered a data breach that could affect users who registered over the past 20 years, representing 43 million potential users’ data exposed.
France Travail, the French national employment agency, announced on March 13, 2024 that its IT systems and those of Cap Emploi, a government employment service that supports people with disabilities, were breached.
According to France Travail, exposed personal data includes names, social security numbers, dates of birth, user IDs, email and postal addresses, and phone numbers of France Travail and Cap Emploi users.
Login credentials, passwords and bank details are not at risk, the agency confirmed in a public statement.
The incident does not affect allowance payments, and users can still connect to their France Travail account. However, the agency advised its users to be extra cautious when receiving a message pretending to be from its services.
“The potential consequences of this case concern the various forms of phishing, attempted scams and identity theft to which people affected by this incident could fall victim,” the French government said on its national cyber prevention website, Cybermalveillance.gouv.fr.
France Travail has notified France’s data watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), and filed a complaint with the police.
The French police have opened an investigation and released an online complaint form for people whose data may have been exposed.
The CNIL also opened an investigation to determine whether sufficient data security measures were in place in compliance with the EU’s General Data Protection Regulation (GDPR).
On March 19, the Paris public prosecutor's office announced that the French police have arrested three individuals who are suspected to be behind the breach. They are aged 21, 22 and 23 and are all based in France.
A judicial investigation has been opened into the charges of "fraudulent access to and maintenance of an automated data processing system, extraction of such data, fraud and money laundering."
The cybercrime unit of the Paris public prosecutor's office has requested that the three suspects be remanded in custody.
What Happened to France Travail’s IT Systems?
The French government indicated that the malicious actor gained unauthorized access to Cap Emploi’s systems around February 6.
In a public statement, France Travail added that they “impersonated a Cap Emploi civil service officer” to do so.
A few days later, France Travail started to notice “suspicious activity” within its IT systems.
The agency notified the CNIL on March 8.
According to Clément Domingo, a French ethical hacker also known as SaxX, the four most probable attack vectors are:
- Data scraping from an insider
- A vulnerability exploit
- An unfortunate database export to an exposed or insecure cloud service
- A third-party compromise
The attack has not been claimed by nor attributed to any specific threat actor at the time of writing.
France Travail’s Security Posture Under Scrutiny
After hearing about the breach, voices in the French cybersecurity community quickly started to criticize France Travail’s security shortcomings.
Notably, some cybersecurity professionals were surprised that the agency allegedly took one full month to respond to the incident and notify the authorities.
Others were concerned that 20 years’ worth of France Travail users’ data is available online and accessible by any employee.
Although it is legally required to keep your users' data for a certain period, it is usually recommended that you store the oldest part in a secure backup repository.
Finally, another ethical hacker, Olivier Laurelli (aka Bluetouff), tried to publicly notify France Travail of security flaws in the agency’s new web application in February without a public response from the agency.
France Travail was commonly known as Pole Emploi until the end of 2023. The agency was undergoing a branding change across all its services including websites and all applications.
The agency also suffered a third-party breach in the summer of 2023, which exposed the personal information of 10 million users.
That incident was associated with the Clop ransomware group exploiting a zero-day vulnerability in the Progress Software’s MOVEit Transfer service.
Read more: MOVEit Exploitation Fallout Drives Record Ransomware Attacks
French Government Mitigation Recommendations
As required by GDPR, France Travail will individually inform each user who may have been impacted through their account and via email.
The CNIL issued a list of recommendations to anyone who may have their personal data exposed by the breach:
- Be particularly vigilant with regard to messages (SMS, emails) that you may receive, especially if they ask you to carry out an urgent action, such as making a payment
- Never give out your passwords or bank details by e-mail
- If you have any doubts, do not open attachments; do not click on links contained in messages inviting you to connect to a personal space; instead, access the corresponding official site directly via your usual browser
- Periodically check the activity and movements on your various accounts
- Make sure you use strong passwords for your e-mail, bank accounts, and other essential services
Read more: France: 33 Million Social Security Numbers Exposed in Health Insurance Hack
This article was updated on March 19, 2024 with the announcement from the Paris public prosecutor's office that three individuals have been arrested.