Hackers stole 20 years of personal data relating to job seekers from a French agency. And it went unnoticed for five weeks. The boss of France Travail, Alexandre Saubot, has a right to look grim (as pictured).

It’s just weeks since 33 million French users had their data stolen from a pair of payment providers. In today’s SB Blogwatch, we are vain and we are blind.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TH on OGWT.

“Must individually notify all people”
A preliminary investigation was opened by the Paris Prosecutor’s Office after a cyberattack suffered by the France Travail website. … This very significant data leak took place between February 6 and March 5, 2024.
…
The data stolen … were: First and last name, social security number, date of birth, France Travail identifier, email and postal addresses and telephone numbers. … By law, the employment agency must individually notify all people affected by this personal data breach.

“Increases the risk”
France Travail is the French governmental agency responsible for registering unemployed individuals, providing financial aid, and assisting them in finding jobs. … Hackers stole details belonging to job seekers registered with the agency in the last 20 years. … Data from individuals with a job candidate profile was also exposed.
…
This data increases the risk of identity theft and phishing for the exposed individuals, so … the country’s data protection agency, the National Commission of [Technology] and Liberties (CNIL) … recommends potentially impacted people to be particularly vigilant with emails, phone calls, and SMS they receive. [It] warns that cybercriminals may use what’s available to correlate with missing data points from other breaches.

“We obviously apologize”
In accordance with our obligations under … GDPR, we have notified CNIL and have also today filed a complaint with the judicial authorities. … Passwords and banking details are not affected by this act of cybermaliciousness. There is therefore no compensation.
…
A preliminary investigation was opened by the Paris Public Prosecutor’s Office and entrusted to the Cybercrime Brigade of the Paris Judicial Police Department. … Aware of the consequences that this may cause, we will inform all identified people via their personal space or by email to whom we obviously apologize. … The security of [your] data is a constant concern for us.

I spent part of my childhood in France. … One thing I’ll never forget is a scene of street construction in a French town: It’s about 11:30am, and three guys all get done with the excavator and jackhammers. One guy goes and grabs something long from the bed of a truck, another heads to the cab and reaches for a brightly colored bundle, and the third guy grabs some chairs from the other side.

Right in the middle of the cordoned-off construction zone, the first guy sets up a folding table, the second guy neatly places a tablecloth on top along with a baguette and bottle of wine and some cheese etc., and the third guy brings up the chairs. These guys sat down for a nice meal for 90 minutes—at least—before getting back to work.

I think my American parents thought, “Wow, how in the hell does anything ever get built in this country?” while my thought was mostly, “That seems really nice, they look so relaxed!”

Some countries just regard privacy as more important than others. Working in France years ago I received a letter from HR, addressed to me (at work) and clearly labelled Personal and Confidential. Since I wasn’t there, the office admin opened it to see if it needed attention. She could not understand why I went ballistic, since it was “only” a letter from HR.

I also remember going to the mairie (town hall) to get some information on a planning application for a field next door to our house. I asked to see the plans for the proposed building, as I was legally entitled to do. The secretary just handed me the entire dossier, complete with name, address and salary/mortgage information for the buyer, noting “the plans will be in there somewhere.”

It should be obvious by now that connecting government systems to the Internet that contain personal citizen data has failed. … You will never secure that data, no matter what you do.
…
Time to hit the Undo button and start over: … Governments need to invest in a private network that is completely air-gapped.

Population of France is a little less than 70 million. Given there is a percentage of inhabitants who wouldn’t appear in an employment database—kids/teens, homemakers, gentle(wo)men of leisure—that data must be about everyone having ever lived in France in the last two decades! “Identity Theft For Dummies” will be the next bestseller, I guess.

Remove 20–25% of young people who are studying and you get an idea of how many French people experienced unemployment (you do not sign up at France Travail if you do not look for a job). This is huge.

This clearly breaks GDPR, [which] states you should only hold data as long as strictly necessary. I cannot think of a single reason why you’d need information going back 20 years.

Recent Articles By Author