The French data protection authority fined the national employment agency €5 million (nearly €6 million) for failing to secure job seekers' data, which allowed hackers to steal the personal information of 43 million people.

France Travail (formerly known as Pôle Emploi) is the country's public employment service, providing unemployment benefits and helping job seekers find work. The agency also maintains extensive databases containing personal and financial information for millions of French citizens.

The National Commission on Informatics and Liberty (CNIL) imposed the penalty on France Travail following a data breach in early 2024 that exposed job seekers' personal information spanning 20 years.

In March 2024, the French government agency disclosed that the attackers stole the sensitive data of up to 43 million individuals, including their names, dates of birth, national insurance numbers, email and home addresses, and phone numbers.

However, the data breach didn't affect bank details or account passwords, and the hackers didn't obtain complete job-seeker files, which may also have contained sensitive health data.

"In the first quarter of 2024, one or more hackers managed to hack into the FRANCE TRAVAIL information system. They used techniques known as 'social engineering,' which involve exploiting people's trust, ignorance or credulity," the CNIL said on Thursday.

"This method enabled them to hijack the accounts of CAP EMPLOI advisers, i.e. the organisations responsible for supporting, monitoring and upholding the employment of people with disabilities."

The data protection watchdog also ordered France Travail to document corrective measures and to provide a detailed implementation schedule. Failure to comply with CNIL's order will result in daily penalties of €5,000 until the government agency demonstrates that it has remedied its security issues.

In August 2023, France Travail suffered another massive data breach affecting approximately 10 million individuals, exposing their full names and social security numbers.

Last year, CNIL also slapped Google with a €325 million ($378 million) fine for violating cookie regulations and imposed a €150 million ($174 million) fine on Shein's Irish subsidiary for similar violations of the General Data Protection Regulation (GDPR).

More recently, it fined Free Mobile and its parent company €42 million after an October 2024 data breach for failing to protect customer data against cyber threats.