Pôle emploi, France’s governmental unemployment registration and financial aid agency, is informing of a data breach that exposed data belonging to 10 million individuals.
“Pôle emploi became aware of the violation of the information system of one of its providers involving a risk of disclosure of personal data of job seekers,” reads the press release.
“Job seekers registered in February 2022, and former users of the job center are potentially affected by this theft of personal data.”
Although the agency does not specify the number of impacted individuals, Le Parisien reports an estimate of 10 million people to be impacted.
This is based on the fact that 6 million people had registered in one of Pôle emploi’s 900 job centers by February 2022, and another 4 million had done so in the previous 12 months prior to the attack, but their data hadn’t been deleted from the agency’s systems yet.
Financial aid programs unaffected
The exposed information includes full names and social security numbers, while email addresses, phone numbers, passwords, and banking data have not been affected by this data leak.
Although the exposed data has limited utility in cybercrime operations, Pôle emploi advises registered job seekers to be cautious with incoming communications.
Also, a dedicated phone support line has been set up by the agency to address any questions and concerns that exposed individuals may have about the incident.
Pôle emploi says that all its teams are now engaged in securing the data of job seekers and will continue to implement additional protection measures and procedures to prevent similar incidents from reoccurring in the future.
The agency has clarified that the incident does not impact its financial aid programs, and job seekers should feel confident to access the online employment portal at “pole-employment.fr” using their passwords.
MOVEit breach
As for the service provider responsible for the data leak, security firm Emsisoft listed Pôle emploi in its MOVEit page. The cybersecurity company also confirmed that 10 million people were impacted.
However, the Clop ransomware gang that carried out the massive MOVEit hacking spree has not yet published the French agency on its extortion site.
Previously, the threat actors said they would not expose information obtained from breaches in government agencies, so it’s unclear if the omission is due to this tactic.
Pôle emploi stands second in terms of the number of impacted individuals, only behind Maximus’ 11 million exposure, while the total tally of the MOVEit attack campaign has reached 59.2 million compromised individuals and 988 organizations.