France Travail fined €5 million for data security breach

CNIL News (France DPA)

Filed January 29th, 2026

Detected February 11th, 2026

Summary

The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.

View original document View source feed page

What changed

The CNIL has imposed a €5 million fine on FRANCE TRAVAIL for significant data security failures that led to a breach of personal data of job seekers registered over the past 20 years. The investigation found that FRANCE TRAVAIL's technical and organizational measures were inadequate, including insufficient authentication procedures for CAP EMPLOI advisers, poor logging for detecting abnormal system behavior, and overly broad access authorizations, despite having identified most necessary security measures prior to the breach.

FRANCE TRAVAIL must justify the corrective measures taken with a precise implementation schedule. Failure to comply with this requirement will result in a daily penalty of €5,000. This enforcement action underscores the critical importance of robust data security and the implementation of identified security measures to comply with Article 32 of the GDPR.

What to do next

Review and implement robust technical and organizational security measures for personal data processing.
Ensure authentication procedures are sufficiently robust and access authorizations are appropriately defined.
Implement adequate logging to detect abnormal behavior on information systems.

Penalties

€5 million fine, with a penalty of €5,000 per day of delay for failing to implement corrective measures.

Source document (simplified)

Home
Data breach: FRANCE TRAVAIL fined €5 million

Data breach: FRANCE TRAVAIL fined €5 million

29 January 2026

On 22 January 2026, the CNIL fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to ensure the security of job seekers' data.

-

Background information

In the first quarter of 2024, one or more hackers managed to hack into the FRANCE TRAVAIL information system. They used techniques known as "social engineering", which involve exploiting people's trust, ignorance or credulity. This method enabled them to hijack the accounts of CAP EMPLOI advisers, i.e. the organisations responsible for supporting, monitoring and upholding the employment of people with disabilities.

Investigations established that the hackers accessed the data of all individuals who were registered or who had been registered over the past 20 years, as well as individuals with a candidate account on francetravail.fr (including their National Insurance numbers, email and postal addresses, and telephone numbers). However, the hackers did not access the complete files of job seekers, which may include health data.

The CNIL's investigation revealed that the technical and organisational measures implemented to ensure the security of the personal data processed were inadequate.

As a result, the restricted committee – the CNIL body responsible for imposing sanctions – imposed a fine of €5 million on FRANCE TRAVAIL, considering the ignorance of essential security principles, the number of people affected, and the volume and sensitivity of the data processed.

In addition, the restricted committee ordered FRANCE TRAVAIL to justify the corrective measures taken, with a precise implementation schedule.

Failing this, the organisation will have to pay a penalty of €5,000 per day of delay.

Note:

France Travail is a national public administrative institution whose budget is determined by law and is mainly based on social security contributions (employers/employees). In this regard, the determined amount of the fine is not based on a turnover, but on a range with a maximum limit of €10 million for a data security breach (Article 32).

All fines imposed by the CNIL, whether they concern private or public actors, are collected by the Treasury and paid into the State budget.

Failure to ensure the security of personal data processed (Article 32 of the GDPR)

The restricted committee noted that FRANCE TRAVAIL had not implemented the technical and organisational measures that could have made the attack more difficult. As a reminder, the implementation of security measures appropriate to the risks is an obligation of means provided for in Article 32 of the GDPR.

In particular, it noted that the authentication procedures allowing CAP EMPLOI advisers to access the FRANCE TRAVAIL information system were not sufficiently robust.

In addition, the restricted committee highlighted the inadequacy of logging measures to detect abnormal behaviour on its information system.

Finally, the restricted committee noted that CAP EMPLOI advisers account access authorisations had been defined too broadly, allowing CAP EMPLOI advisers to access data on individuals they were not supporting, which increased the volume of data accessible to hackers.

In determining the sanction, the restricted committee took into account the fact that most of the appropriate security measures had been identified by FRANCE TRAVAIL, prior to the implementation of the processing, in the impact assessments, but had not actually been implemented.

The role of the CNIL regarding the complainants

The CNIL is the French personal data regulator. It responds to requests from individuals and professionals.

Anyone can lodge a complaint with the CNIL when they encounter difficulties in exercising their rights or to report a breach of personal data protection rules. The CNIL can carry out investigations on organisations and, in the event of breaches, it can decide to sanction them.

However, the CNIL does not have the authority to compensate individuals who lodged a complaint. The individuals concerned may file a complaint with the police.