France’s national employment agency, France Travail, was fined €5 million by the Commission Nationale de l’Informatique et des Libertés (CNIL), the French privacy and data protection authority, after a breach exposed personal data belonging to millions of job seekers. The penalty was imposed on January 22, 2026, for failing to implement adequate technical and organisational safeguards to protect the personal information processed by the agency, in violation of Article 32 of the General Data Protection Regulation (GDPR).
The breach occurred in early 2024 when one or more attackers gained unauthorised access to France Travail’s information systems using social engineering techniques that targeted accounts at Cap Emploi, an agency division supporting job seekers with disabilities. The attackers accessed records of individuals registered with France Travail over approximately 20 years, including names, social security numbers, email and postal addresses, and telephone numbers. The breach did not give attackers access to complete job seeker files such as health data, and there was no indication that financial account information or login credentials were obtained.
CNIL found that several key security measures were lacking at France Travail at the time of the incident. Authentication methods for Cap Emploi staff accounts permitted short passwords and did not require multi-factor authentication, and log-in attempts were not sufficiently limited before accounts were locked. Exposure of broad access rights further increased the volume of data that could be accessed by unauthorised parties. Based on these findings, CNIL concluded that France Travail had not met its obligation under GDPR to apply appropriate security measures relative to the risks posed by processing large volumes of personal data.
CNIL’s decision requires France Travail to provide evidence of corrective measures within a defined timeframe and imposes a conditional daily penalty of €5,000 for delays in addressing the shortcomings. The fine reflects the number of individuals affected, the sensitivity of the data exposed, and the absence of adequate cybersecurity controls at the agency.
France Travail, formerly known as Pôle Emploi, is the public employment service responsible for administering unemployment benefits and maintaining job seeker records. The breach highlighted systemic issues in the agency’s approach to data security and prompted regulatory action to improve protections around the personal information of job applicants and beneficiaries.
CNIL’s sanction follows other high-profile fines under GDPR for data security failures by both public and private organisations. The decision emphasises regulatory expectations for implementing robust security measures when processing large datasets containing personal identifiers and contact information.
Individuals affected by the breach may be contacted by France Travail as part of ongoing notification obligations under GDPR. Law enforcement agencies have been involved in investigating the 2024 intrusion, and authorities continue to monitor compliance with the corrective plan mandated by CNIL.