In March 2024, France Travail, the French public employment service, was hit. The attackers did not use advanced technology – they used social engineering. They posed as legitimate partners, got employees to help them further, and gained access to the systems without breaking anything technically.
Once inside, they found something that made the damage far greater than it needed to be— access rights defined too broadly. CAP EMPLOI advisors, who collaborated with France Travail in supporting job seekers, had system access to data on all registered users. Not just those they actually supported. Social security numbers, emails, phone numbers, and mailing addresses for everyone who had been registered in the past 20 years. 43 million people.
The French data protection authority CNIL found two specific weaknesses: the login procedures were not robust enough, and the access rights were too broad. The fine was 5 million euros.
Practical point: Review who in the company has access to what. No one should have more access than what is necessary for their job. External consultants do not need to see all customer information. Not all managers need access to all employee personnel files.
Inspired by: CNIL