France Travail 2024: 43M French Citizens Leaked, What Really Happened
Timeline
February 2024: France Travail (formerly Pole Emploi, the French national employment agency) discovers unauthorized access to its database. The agency notifies CNIL (France's data protection authority) on March 8, 2024.
March 13, 2024: France Travail publishes a statement acknowledging a cyberattack that potentially exposed personal data of 43 million people. The scope includes current job seekers, former registrants over the past 20 years, and anyone with a candidate account.
March 2024: CNIL opens an investigation. The Paris prosecutor's office refers the case to its cybercrime section.
Data Exposed
Compromised data includes names, dates of birth, social security numbers, France Travail identifiers, email and postal addresses, and phone numbers. Passwords and banking data were not affected according to France Travail.
The social security number is the critical element. It is a unique, permanent identifier. Unlike a password, it cannot be changed. It is used as an authentication key in many contexts (healthcare, retirement, government services).
Attack Vector
Based on public information, the attack exploited compromised Cap Emploi counselor accounts. Attackers used these legitimate credentials to query the database and extract information. This was not a spectacular technical vulnerability, but a failure of access control and monitoring.
Critical points identified:
Impact
43 million people affected, covering virtually the entire active and formerly active French population. The exposed data enables targeted phishing (spear phishing), identity theft, and administrative fraud.
CNIL received thousands of reports following the incident. Phishing campaigns exploiting the stolen data were detected in the following weeks.
Lessons for Organizations
Access control is not optional. Accounts with global access to a database of 43 million records represent systemic risk. Least privilege would have limited extraction.
Mass extraction detection is essential. If an account downloads millions of records, the system must alert immediately.
Historical data must be archived. Keeping 20 years of data accessible online multiplies the impact surface.
Authentication for critical access must be strengthened. Multi-factor authentication for accounts with access to sensitive data is not a luxury.
What CleanIssue Checks
During a external review, we identify exactly this type of flaw: overly broad access, APIs without extraction limits, exposed historical data. This is what makes the difference between a limited incident and a 43-million-victim catastrophe.
The France Travail breach underscores a pattern seen repeatedly in public-sector systems: legacy architectures, broad internal access, and insufficient monitoring create conditions where a single compromised credential can expose decades of accumulated personal data.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Viamedis and Almerys 2024: 33M French Health Records Breached
Analysis of the dual Viamedis/Almerys breach that exposed health data of 33 million French citizens in January 2024.
Equifax 2017: 147M Americans Exposed by an Unpatched Apache Struts CVE
How a known, unpatched CVE in Apache Struts enabled the largest financial data breach in American history.
Okta 2022 and 2023: When the Identity Provider Gets Hacked
Two major Okta compromises in two years. Analysis of vectors, impact on customers, and lessons for identity provider security.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.