It’s a blow for France Travail. On January 22, 2026, the National Commission on Informatics and Liberties (CNIL) fined the public institution 5 million euros. The sanction follows a cyberattack in the first quarter of 2024 that compromised the personal data of all individuals registered on the platform over the past twenty years.
A Social Engineering Attack
The hackers used social engineering techniques to impersonate Cap Emploi advisors, the bodies dedicated to supporting people with disabilities. Once inside the information system, the attackers could access a substantial volume of sensitive data: social security numbers, email and postal addresses, and phone numbers of all registrants and applicants on francetravail.fr.
Although the complete files of job seekers, including health data, were not compromised, the scale of the breach remains considerable.
Security Flaws Identified… but Not Fixed
The CNIL’s inspection highlighted serious shortcomings in security measures. First issue: the authentication methods for Cap Emploi advisors were not sufficiently robust. Second deficiency: the absence of effective logging systems to detect abnormal behavior on the network.
But the most damning finding lies elsewhere. The access permissions for Cap Emploi advisors had been defined too broadly, allowing them to access data of people they did not directly assist. This configuration amplified the volume of data accessible to intruders.
The CNIL’s limited-oversight panel highlighted an aggravating factor: France Travail had identified most of these security measures in its impact assessments upstream of data processing. They simply had never been implemented.
A Sanction Coupled with Corrective Measures
In addition to the €5 million fine, the CNIL ordered France Travail to justify the corrective measures taken, according to a precise schedule. If not complied with, the agency will impose a daily fine of €5,000 for each day of delay.
For a public institution whose budget largely depends on social contributions, the sanction is not trivial. The amount of the fine, which cannot exceed €10 million for a data-security breach under Article 32 of the GDPR, will be returned to the State Budget via the Treasury.
France Travail Regrets the “Severity” of the Sanction
In a statement, France Travail acknowledged the decision without contesting it before the Council of State (Conseil d’État). The body recognizes “the gravity of the events that occurred” and its “responsibility in matters of data protection,” while regretting the “severity” of the sanction “in light of our strong commitment to cybersecurity.”
France Travail says it anticipated the regulator’s decision by already implementing the corrective measures requested. The agency notes that it has deployed two-factor authentication for almost two years and has begun the developments needed to comply with all of the CNIL’s injunctions.
The organization highlights its cybersecurity efforts, claiming to thwart “nearly 10,000 cyberattacks” each year. It also emphasizes its enhanced awareness policy: employees and partner staff must now undertake mandatory training renewed every six months as a condition for accessing the information system.
“In a context where cyber threats continue to rise, we remain more than ever mobilized to strengthen our protection systems,” France Travail concludes, noting that 90% of cyber incidents stem from human error.
