France Travail: 43 Million Records Stolen - A Complete Analysis
In-depth look at the France Travail breach of March 2024: timeline, stolen data, exploited vulnerabilities, consequences for 43 million victims, and lessons for businesses.
On March 13, 2024, France Travail (formerly Pole emploi, the French national employment agency) publicly announced what would become the largest personal data breach in French history: the data of 43 million people - roughly two-thirds of the French population - had been compromised. The scale is unprecedented, the consequences enduring, and the lessons for any organization that handles sensitive data are fundamental.
This article reconstructs the full timeline of the attack, analyzes the exploited vulnerabilities, details the compromised data and associated risks, and draws concrete lessons for French businesses.
Timeline of the Attack
The Intrusion: February-March 2024
The investigation established the following sequence of events:
February 6, 2024 - Probable start of the intrusion. The attackers used compromised credentials belonging to Cap Emploi advisors (a partner organization that assists jobseekers with disabilities) to access France Travail's information system.
February 2024 (duration uncertain) - The attackers navigated the system and progressively accessed the central database. Data extraction took place over several days, possibly weeks. No security alert was triggered during this period.
March 5, 2024 - France Travail detected suspicious queries on its systems. An internal investigation began.
March 8, 2024 - France Travail notified the CNIL (France's data protection authority) of the data breach, in compliance with the GDPR's 72-hour notification requirement (Article 33).
March 13, 2024 - France Travail issued a public statement acknowledging the breach and its scale: 43 million people potentially affected.
March 17-19, 2024 - Three suspects were arrested by the BL2C (Paris Cybercrime Brigade). They were aged 22, 23, and 24.
The MOVEit Precedent: August 2023
This was not the first time France Travail (then still known as Pole emploi) was compromised. In August 2023, the Cl0p cybercrime group exploited a vulnerability in the MOVEit file transfer software (CVE-2023-34362) to access the data of 10 million jobseekers. That earlier breach should have served as a warning.
The Compromised Data: Anatomy of a Catastrophe
What Was Stolen
France Travail confirmed the compromise of the following data for all 43 million affected individuals:
| Data Field | Associated Risk |
|---|---|
| First and last name | Identity theft |
| Date of birth | Fraudulent identity verification |
| Social security number (NIR) | Administrative fraud, benefit fraud |
| France Travail identifier | Unauthorized account access |
| Email address | Targeted phishing (spear phishing) |
| Postal address | Mail-based scams, targeted burglary |
| Phone number | Vishing (voice phishing), smishing (SMS phishing) |
Why the Social Security Number Is the Most Critical Data Point
The French social security number (NIR) is a permanent identifier that cannot be changed, unlike a password or a credit card number. It is used as an identification key in numerous systems: health insurance, pensions, taxes, and banking. An attacker who knows your NIR, name, and date of birth can potentially:
- Impersonate you with the national health insurance system
- Open bank accounts in your name
- Apply for social benefits in your name
- Take out consumer loans through identity theft
43 million French residents now have their social security number potentially compromised for life. There is no standard procedure in France to change one's NIR.
What Was NOT Stolen
France Travail indicated that the following were not compromised:
- Passwords for personal accounts
- Bank details (IBAN, RIB)
- CVs and personal documents uploaded to the platform
The Security Failures: How It Happened
Analysis of the attack reveals several structural weaknesses that made the breach possible.
1. No Multi-Factor Authentication (MFA)
The most indefensible failure. Cap Emploi advisor credentials provided direct access to France Travail's information system with no additional verification (no SMS code, authenticator app, or physical key). A simple username and password combination was sufficient.
In 2024, for a system containing 43 million people's data, the absence of MFA constitutes serious negligence. MFA is recommended by ANSSI (France's national cybersecurity agency) in all its best-practice guidelines and required by most security frameworks (ISO 27001, SOC 2).
2. Centralized Database with No Segmentation
Records for every jobseeker since 2004 (20 years of history) were accessible from a single entry point. No segmentation by year, region, or sensitivity level. One compromised account gave access to the entire database.
The principle of data segmentation is fundamental in information security: divide data into compartments so that the compromise of one segment does not expose the rest.
3. Excessive Data Retention
Why was France Travail storing data for jobseekers registered 20 years ago? The GDPR requires that data be kept only "for no longer than is necessary for the purposes for which the personal data are processed" (Article 5). Retaining 20 years of records, many for individuals with no remaining connection to France Travail, raises a proportionality issue.
Had the data been purged in line with reasonable retention periods (for example, 5 years after the last registration), the number of victims would have been dramatically lower.
4. No Detection of Anomalous Behavior
The attackers had access to the systems for several weeks without triggering an alert. Extracting 43 million records generates a massive volume of queries that should have been caught by monitoring tools (SIEM, behavioral analytics). The lack of detection suggests gaps in security supervision.
5. Inadequately Secured Interconnection with Cap Emploi
External partner (Cap Emploi) access to France Travail's information system was not sufficiently controlled. Partner access should be limited to the strict minimum (principle of least privilege), with enhanced authentication and dedicated monitoring.
Consequences for Victims
Immediate Risks: Targeted Phishing
In the weeks following the disclosure, a wave of targeted phishing was observed:
- Emails impersonating France Travail: "Following the security incident, please verify your information by clicking here"
- Fraudulent text messages (smishing): "France Travail: your account has been secured, confirm your identity via this link"
- Phone calls (vishing): individuals posing as France Travail advisors and citing the victim's name and social security number
These attacks are exponentially more dangerous because the attackers possess real personal data, making the attempts far more credible than generic phishing.
Long-Term Risks: Identity Theft
Stolen data does not expire. A social security number, date of birth, and address remain valid for years. Victims face identity-theft risks that can surface months or even years after the breach:
- Fraudulent bank account openings
- Consumer loan applications in the victim's name
- Social benefit fraud
- Mail diversion to intercept identity documents
Legal Recourse for Victims
Victims can:
- File a police report (online through the dedicated portal or in person at a police station)
- Report any phishing attempts on signal-spam.fr and Cybermalveillance.gouv.fr
- Monitor their accounts (banking, Ameli health insurance, tax portal) for suspicious activity
- Join collective action: several consumer associations (UFC-Que Choisir, CLCV) have launched proceedings
Lessons for Businesses
The France Travail incident is a textbook case for any organization that handles personal data. Here are the concrete takeaways.
Lesson 1: MFA Is Not Optional
If France Travail had required multi-factor authentication for advisor logins, the attack would likely have failed. MFA is the single most cost-effective security control available.
Immediate action: enable MFA on all access to your information systems, starting with administrator accounts and remote access. The cost is marginal (a few euros per user per month for an authentication solution); the benefit is immense.
Lesson 2: Purge Your Data
Retaining 20 years of data when 5 would suffice multiplies the exposure risk fourfold in the event of a breach. Define GDPR-compliant retention periods and purge regularly.
Lesson 3: Segment Your Databases
A single access point should never grant access to the entirety of your data. Segment by sensitivity level, functional scope, and age.
Lesson 4: Monitor for Anomalous Behavior
A system that lets 43 million records be extracted without triggering an alert is a blind system. Invest in detection: SIEM, user and entity behavior analytics (UEBA), and alerts on unusual query volumes.
Lesson 5: Secure Partner Access
Your partners, vendors, and subcontractors are extensions of your attack surface. Apply the same security requirements to them as you do to your own employees.
Lesson 6: Train Your Staff
The Cap Emploi credentials were most likely compromised through phishing. Regular employee training is the first line of defense against credential theft.
Launch phishing simulations with nophi.sh - first simulation in 15 minutes.
What Is the CNIL Doing?
The CNIL opened a formal inquiry as soon as it received the breach notification. The investigation focuses on:
- Compliance with the security obligation (Article 32 of the GDPR)
- Proportionality of data retention periods
- Authentication measures for system access
- Controls on partner access
- Timeliness of the notification
The inquiry remains ongoing as of April 2026. A sanction could be issued if the CNIL identifies clear compliance failures.
What Comes Next?
The France Travail breach is a turning point in the history of French cybersecurity. By its scale (43 million), by the sensitivity of the data (social security numbers), and by the simplicity of the attack (stolen credentials with no MFA), it exposes the gap between data-protection stakes and actual practices.
For French businesses, the lesson is clear: basic controls - MFA, data purging, segmentation, training - are not advanced cybersecurity. They are the bare minimum. And that minimum was not met by one of France's largest public agencies.
Do not make the same mistake. Start by testing your email security configuration - it is free and instant.
Find this incident and over 100 others in our French cyberattack database.