Pedestrians on street showing data breach at French unemployment agency

Data Breach at French Unemployment Agency May Span 20 Years, 43 Million Benefit Recipients

A data breach at France’s national unemployment agency may have exposed 20 years worth of records, a possible total of 43 million between that and a related breach of an employment service for people with disabilities.

France unemployment agency breach included contact information, social security numbers

The data breach was confirmed on March 13 and involves France Travail (previously known as Pole Emploi), the national unemployment agency, and Cap Emploi, a federal government service that assists people with disabilities in finding employment. The breach potentially impacts all users of these services dating back as far as 20 years.

The data breach reportedly involves names, social security numbers, dates of birth, user IDs, email and postal addresses, and phone numbers for users of both services. The unemployment agency said that the breach did not expose password, banking information or any sort of login details. It also said that it was safe for users to log on and continue using its services, but that they should be especially wary of phishing messages that make use of the stolen information.

The country’s National Police has opened an investigation and set up an online complaint form for those potentially impacted by the data breach. France’s lead data protection authority, CNIL, has also initiated a General Data Protection Regulation (GDPR) investigation into possible breaches of cybersecurity requirements for protecting personal information.

Though the announcement was made on March 13, a spokesperson for the unemployment agency indicated that the data breach took place in early February. A threat actor apparently pulled off a social engineering attack by pretending to be a Cap Emploi civil service officer to gain access to the network. CNIL was notified on March 8, but there is no indication who the attacker was as of yet.

Data breach raises questions about agency’s handling of personal information

The French unemployment agency is fresh off another data breach less than a year ago, when it was still under the name of Pole Emploi. In 2023 it was penetrated in what was first thought to be part of the Cl0p ransomware group’s wide-ranging abuse of MOVEit customers, but was later found to be at a document digitization vendor called Majorel that said Pole Emploi was the only one of its clients impacted (and that the attack was not related to the MOVEit zero-day). Still, the data of 10 million people was exposed in that attack. That incident included a smaller range of contact information, for registrants prior to February 2022, but did include names and social security numbers.

While the full circumstances of the more recent data breach remain unclear, the response to it has taken some criticism from privacy and cybersecurity circles. The unemployment agency was reportedly aware of the attack shortly after it happened, but took nearly a month to go to the authorities and CNIL about it. The report that social engineering of an employee was involved also raised questions about exactly how much access to customer records each rank-and-file member of the staff has, and for how long data is remaining in a form that can be so easily accessed. The GDPR has rules about how long personal data can be kept before it must either be deleted or moved to a secure archive.

A “white hat” hacker named Olivier Laurelli, who goes by “Bluetouff” on social media, also reports finding security vulnerabilities in the unemployment agency’s web application in February and reporting them to the organization without receiving any response. It is unclear if these vulnerabilities played any role in the data breach, but could serve as another indicator of a lax security culture that may not be keeping up with GDPR responsibilities.

Dr Ilia Kolochenko, CEO at ImmuniWeb, expands on the risks that are created by a breach window that could have lasted up to a month: “What is quite alarming here, is the announced time frame of the disclosed intrusion, which has reportedly lasted from February 6 and March 5. Exfiltration of 43 million records is a quite “noisy” event that should have normally been detected much faster. While other technical details of the data breach remain unknown for the time being, it is perfectly conceivable that hackers could stealthily stay inside for the entire month, compromising and backdooring other internal systems with more sensitive data. Even if the currently disclosed scope of the data breach is eventually confirmed, the already compromised data can – and quite probably will – be exploited in spear phishing, account takeover and other cyberattacks against the concerned individuals. Moreover, cybercriminals can use the stolen data to blackmail the victims by asking for a ransom to avoid spreading information about their past unemployment history among colleagues causing embarrassment. In any case, victims shall stay vigilant for any incoming emails, calls and messages they receive later this year.”

As a nation, France is fresh off a record-setting data breach of two health care payment providers that exposed 33 million records. In terms of record count the unemployment agency breach is looking to now be the largest in the country’s history, seeing a record set and then broken within the space of about a month.

Though the nation appears to be in a rough cybersecurity stretch, CNIL has been one of the most active regulatory agencies in the EU and has been quick to issue substantial fines for data protection failings. In 2023 this included a €40 million penalty to advertising firm Criteo for out-of-bounds use of personalized ad profiling, and an added €5.2 million fine for Clearview AI (adding to a running total of over €20 million) for its ongoing failure to comply with prior regulatory actions. It issued the third-largest total of GDPR fines in 2023, behind only the tech industry havens of Ireland and Luxembourg.

 

Senior Correspondent at CPO Magazine