The French employment agency, France Travail, has received a €5m ($6m) fine for security failures that led to the compromise of an estimated 43 million jobseekers.
In a public statement on January 29, 2026, France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), said it issued sanctions against France Travail following an investigation into the data breach.
France Travail Breach: Personal Data of 43m Users at Risk
In March 2024, France Travail announced that its IT systems and those of Cap Emploi, a government employment service that supports people with disabilities, were breached.
According to France Travail, exposed personal data included names, social security numbers, dates of birth, user IDs, email and postal addresses, and phone numbers of France Travail and Cap Emploi users.
However, the attackers did not gain access to any jobseekers’ complete France Travail files nor any healthcare data.
The data breach could affect users who registered on Cap Emploi over the past 20 years, representing 43 million potential users’ data exposed.
Following the incident, the Paris public prosecutor’s office announced that the French police arrested three individuals, all based in France and aged 21, 22 and 23 at the time. They were suspected to be behind the breach.
A judicial investigation was opened relating to charges of “fraudulent access to and maintenance of an automated data processing system, extraction of such data, fraud and money laundering.”
France Travail’s Response Violated GDPR, Regulator Says
The CNIL opened another investigation to determine whether sufficient data security measures were in place in compliance with the EU’s General Data Protection Regulation (GDPR).
This investigation concluded on January 22, 2026. It found multiple security and organizational issues at France Travail and said the agency “failed to secure the personal data of jobseekers.”
Specifically, The CNIL found the following France Travail shortcomings:
- Inadequate technical and organizational measures: France Travail failed to implement sufficient security controls to make the cyber-attack harder, violating Article 32 of the GDPR (obligation to ensure appropriate security)
- Weak authentication for Cap Emploi advisors: The login methods used by Cap Emploi advisors to access France Travail’s systems were not robust enough, increasing vulnerability
- Poor logging and monitoring: The agency lacked effective logging measures to detect unusual or suspicious activity in its systems
- Overly broad access permissions: Cap Emploi advisors had excessive access rights, allowing them to view data of individuals they were not assisting, which expanded the breach’s impact
Furthermore, the CNIL investigation concluded that, while France Travail had identified some of the necessary security measures to mitigate such a threat in its data protection impact assessments (DPIAs), it did not implement them in practice.
The €5m penalty takes into account the failure to comply with fundamental security principles, the number of individuals affected and the volume and sensitivity of the data processed.
Additionally, the CNIL has ordered France Travail to provide evidence of corrective measures implemented, following a strict timeline. Failure to meet these deadlines will result in a €5000 ($5980) daily fine.
The CNIL also noted that, as a publicly funded administrative body – financed through employer and employee social contributions – France Travail’s budget is legally fixed. Because of this, GDPR fines (under Article 32) are not tied to revenue but instead fall within a set range, with a maximum penalty of €10m ($11.9m) for data security failures.
France Travail suffered another data breach in July 2025 on its “employment” portal, used by its partners, that could have exposed personal data of 340,000 users. The latest CNIL fine does not cover this incident.
