The French data protection authority announced Thursday it has fined the country’s primary governmental agency responsible for registering job seekers, providing unemployment benefits and aiding in job placement €5 million (about $6 million) for poor data security.

Early in 2024, hackers breached France Travail’s computer systems using social engineering attacks, the regulator known as CNIL said in a press release.

The hack allowed the adversaries to take over the accounts of the organizations responsible for supporting and monitoring the employment of people with disabilities, the press release said.

The hackers accessed data belonging to everyone who had registered with the organization for the past 20 years. They did not access job seekers’ health data, but did obtain National Insurance numbers, email and postal addresses and telephone numbers. 

The fine amount was based on France Travail’s “ignorance of essential security principles, the number of people affected and the volume and sensitivity of the data processed,” the press release said.

Security flaws included poor authentication processes, insufficient logging checks to detect abnormal behavior and broader data access than was needed.

France Travail has been ordered to immediately implement proper security controls.

The organization said it is “fully aware of the seriousness of the events that occurred and of our responsibility in matters of data protection.” 

“While we do not dispute the CNIL's decision, we nevertheless regret its severity given our very strong commitment to cybersecurity and the protection of our users' data since this incident occurred.”