AI Autopsy: France Travail’s 37 Million Reasons to Improve Security Posture

The UK’s data protection regulator is often accused of pulling its punches when it comes to fining organisations that breach the GDPR. To silence its detractors, it could learn a thing or two from its French counterpart, the Commission nationale de l’informatique et des libertés (CNIL). Just weeks after hitting telco Free with €42m (£36m) in monetary penalties, it fined government employment agency France Travail €5m (£4.4m).

The incident exposed personally identifiable information (PII) on 36.8 million jobseekers dating back 20 years. The worst part of it? The agency knew what was wrong with its data protection regime. It just chose not to act.

Back to the beginning

Back in March 2024, France Travail announced that an unauthorised individual had accessed its IT systems and those of Cap Emploi. The PII exposed to the malicious actor included names, social security numbers, dates of birth, user IDs, email and postal addresses, and phone numbers for those registered with France Travail and Cap Emploi.

However, it wasn’t until the recent regulatory fine that we found out exactly what happened. France Travail first detected abnormal activity on February 29 2024, and finally took action on March 4. Its investigation revealed that the attack ran from February 6 to March 5 that year, with the threat actor targeting Cap Emploi employees’ accounts using social engineering techniques.

“CNIL made it clear that recognising a risk and failing to mitigate it over time constitutes negligence under Article 32″ Dale Hoak

By posing as Cap Emploi staffers, they were apparently able to trick the IT helpdesk into issuing a password reset. They then contacted the victimised Cap Emploi employees, masquerading as the helpdesk, to obtain the password. PII on every single person who was, or had been, registered over the previous two decades, as well as individuals with a candidate account, was exposed. That amounted to a 26GB haul of personal data, which could be used to launch follow-on phishing attacks and commit identity fraud.

What went wrong?

The most egregious compliance oversight was a failure to ensure the security of personal data: Article 32 of the GDPR. Although France Travail sought to blame Cap Emploi for the incident, CNIL held it responsible for the technical failings that led to the breach. They were numerous and included:

• Authentication failings, including insufficiently complex password requirements (just eight characters) and a 50-attempt threshold for unsuccessful login attempts – way more than the 10 recommended by CNIL. The agency also did not require multifactor authentication (MFA) for employees logging on
• Identity management issues, including excessive permissions, which enabled advisors in one region to access the full records of any individual in the national database. Additionally, no controls were in place to restrict advisors’ access rights to the jobseekers they were supporting
• Insufficient detection and response, in that it took five days to begin an investigation following an initial detection of unusual activity. The system also failed to automatically block this activity when it detected “high resource consumption”
• Excessive data retention, which allowed the threat actor to access PII on people who hadn’t been registered for 20 years
• Failure to act on the findings of a Data Protection Impact Assessment (DPIA), which identified many of the above deficiencies

A governance-execution gap

Richard Churchill, a principal consultant at technology consultancy Leading Resolutions, describes the snafu as a classic example of a “governance-execution gap”.

“It’s more common than boards generally recognise, usually because the mechanisms that translate audit insight into funded, tracked delivery simply don’t exist or don’t function effectively,” he tells Assured Intelligence.

“In large organisations, security and control remediation are frequently approved in principle, but not tracked through to outcome, leaving boards exposed despite ‘doing the right things’ on paper. In my experience, most organisations can produce a risk register. However, very few can produce the investment-to-outcome audit trail that proves they acted on it. That’s a finance-technology governance gap, and it’s where the real exposure sits.”

Organisations that get this right tend to have a “board-visible risk-to-remediation register” in place, which links risks to named owners and evidence of operational control – rather than containing vague mitigation language, Churchill continues. They also ensure remediation funding is directly linked to demonstrable risk reduction rather than merely being approved in principle.

“Finally, when delivery slips or scope is reduced, residual risk must be explicitly re-presented and re-accepted at the executive or board level, eliminating silent drift and forcing accountable decision-making,” he concludes. “Overall, it’s the rigour of risk management that builds well-informed and confident boards. Issues and risks may occur, but they must be very securely governed.”

Zeroing in on zero trust

Lakshmi Hanspal, chief trust officer and CISO at DigiCert, believes zero trust may have helped France Travail avoid a multimillion-pound fine.

France Travail avoid a multimillion-pound fine.

“When weak authentication, excessive access privileges and ignored alerts co-exist, that signals a failure across people, process and governance, not just systems” Lakshmi Hanspal

“When weak authentication, excessive access privileges and ignored alerts co-exist, that signals a failure across people, process and governance, not just systems. A true zero trust approach means continuously verifying identity, enforcing least privilege access and acting on abnormal behaviour in real time,” she tells Assured Intelligence.

“In addition, it demands leadership accountability to ensure security measures identified on paper are implemented in practice. Greater awareness and education must also continue to be shared, as consumers, employees, and third parties rely on best practices in a shared-responsibility model to stay ahead of vulnerabilities. Nobody wants to be the reason why a breach happened.”

RegScale CISO, Dale Hoak, also cites some zero-trust staples among a long list of “lessons learned” recommendations for security leaders. These include access controls based on the principle of least privilege.

“Access controls should be continuously evaluated against actual job function, active case assignment, and behavioural signals. If you can’t automatically detect and flag excessive access, you don’t truly have least privilege,” he tells Assured Intelligence.

Hoak adds that logging should be “wired directly” to automatically trigger containment controls and “escalate, block, or throttle activity without waiting for manual intervention”. France Travail’s slow detection and response efforts illustrate a failure of governance characterised by “missing escalation paths, unclear ownership, and no defined thresholds for action”, he continues.

Any security controls must be continually enforced, not periodically documented, says Hoak. “Weak password policies, missing MFA and excessive permissions are control drift,” he adds. “If a system allows 50 failed logins, has no MFA, and grants nationwide access by default, it’s an absence of continuous control validation. CISOs should be measuring these conditions in real time, not discovering them during regulatory investigations.”

Manage the risk

Above all, France Travail’s failings are a reminder that identifying risk is not the same as managing it, Hoak argues.

“CNIL made it clear that recognising a risk and failing to mitigate it over time constitutes negligence under Article 32. CISOs must be able to demonstrate that identified risks translate into deployed controls, tracked exceptions, and measurable outcomes,” he concludes.

“Nor can compliance be treated as a static artefact. CISOs should be investing in compliance-as-code and continuous controls monitoring so that policy, risk, and technical enforcement are always in sync. When controls are continuously measured and enforced, these failures don’t persist for years. They’re detected, corrected, or escalated immediately.”