Record breach of French government exposes up to 43 million people's data

A French government department - responsible for registering and assisting unemployed people - is the latest victim of a mega data breach that compromised the information of up to 43 million citizens.

France Travail announced on Wednesday that it informed the country's data protection watchdog (CNIL) of an incident that exposed a swathe of personal information about individuals dating back 20 years.

The department's statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed.

Passwords and banking details aren't affected, at least.

That said, CNIL warned that the data stolen during this incident could be linked to stolen data in other breaches and used to build larger banks of information on any given individual.

It's not clear whether the database's entire contents were stolen by attackers, but the announcement suggests that at least some of the data was extracted.

"The database allegedly extracted illicitly contains the personal identification data of people currently registered, people previously registered over the last 20 years as well as people not registered on the list of job seekers but having a candidate space on francetravail.fr," the statement reads, which was translated electronically from French. 

"It is therefore potentially the personal data of 43 million people which have been exfiltrated."

The Cybercrime Brigade of the Paris Judicial Police Department is heading up the investigation into the breach, which it says was carried out between February 6 and March 5.

French citizens are urged to remain on heightened alert and vigilant to any phishing attempts in the coming days, weeks, and months. Checking all passwords are strong and not easily crackable is another of the key recommendations.

"Reports indicate the data includes personal identity data, social security numbers, and other physical address data," Joe Hancock, non-lawyer partner and head of the cybersecurity and investigations practice at Mishcon de Reya told The Reg.

"This would seem to have value for identity theft and fraud and is of obvious concern. Often though it is difficult to link a specific breach to actual harm, and individuals may never know if they are impacted.

"It's not clear how the attack happened apart from reports that the attackers posed as members of Cap Emploi. This could indicate some kind of social engineering over a more technical attack, or likely the two together."

Cap Emploi, is a similar department that looks after disabled people looking for work.

France Travail will soon undertake the mammoth task of directly informing those affected by email or by other means, and has apologized for the incident.

"The security of data entrusted by job seekers and companies is a constant concern for us. Faced with the threat of cyberattacks which increasingly weighs on companies and organizations at national and European levels, we must continually strengthen our protection systems, procedures, and instructions," it said. 

"Also, as soon as we became aware of this intrusion, we took additional measures with the Cap emploi network to strengthen our systems for protecting access to our applications by our partners."

This data breach is a real stinker for France Travail, which seems to be unable to catch a break. In August last year, it was caught up in an incident at a service provider that also compromised the data of an estimasted 10 million French citizens.

Wider reporting at the time pinned the blamed for the attacks on Cl0p's supply chain assault of MOVEit MFT.

It's been a tough month for France in terms of cybersecurity and data protection too. Just a month ago, the contry was contending with what was called the largest-ever data breach.

Data breaches at Viamedis and Almerys, two third-party payment providers for healthcare and insurance companies, led to more than 33 million people's data being compromised.

Yann Padova, a data protection lawyer and former secretary general at the CNIL, told Franceinfo at the time that he believed the incident to be the largest of its kind in France.

Affecting more people and including more data points than the breaches of Viamedis and Almerys, the France Travail attack will, for now, be known as the country's worst-ever data breach.

The France Travail attack also comes just days after numerous French government departments were reportedly targeted by DDoS attacks, which were later claimed by the pro-Russia Anonymous Sudan group.

Local media reported on Monday that Prime Minister Gabriel Attal's Office said the attacks were of "unprecedented intensity" but were ultimately contained.

The strikes weren't attributed to the Kremlin, although the cyber nuisances at Anonymous Sudan are believed to act against Russia's enemies.

Perhaps just a coincidence, the attacks also came just days after France President Emmanuel Macron publicly reaffirmed the country's unwavering support for Kyiv in the war against Ukraine. ®