France data protection authority CNIL has fined public employment agency France Travail €5 million for failing to ensure the security of personal data of job seekers.
Attackers gained access to the organization’s systems through social engineering techniques that targeted accounts used by staff at Cap emploi, a partner organization.
The investigation found that attackers accessed data linked to current registrants, former registrants from the past 20 years, and individuals with a candidate profile on francetravail.fr. The breach affected personal data tied to about 43 million people, including social security numbers, email and postal addresses, and phone numbers.
“The safeguards in place did not sufficiently reduce the risk of unauthorized access through compromised accounts,” CNIL said in its decision.
In addition to the financial penalty, CNIL ordered France Travail to provide evidence of corrective actions within a defined timeframe. The regulator also imposed a conditional daily penalty of €5000 if the organization does not comply with the order.
The fine is based on violations of Article 32 of the GDPR, which requires organizations to implement security measures appropriate to the risks associated with processing personal data.