We know more about the cyberattack against France Travail, where the personal data of more than 43 million job seekers was stolen. Three suspects have already been arrested. And they are very young!
That’s what we call an effective investigation! The Paris prosecutor’s office announced on March 19 in a statement, that the brigade fighting against cybercrime (BL2C) has already arrested three people in their twenties linked to the large-scale hacking of France Travail (formerly Pôle Emploi). In fact, the organization announced that it had suffered a cyberattack on March 13 aimed at “potentially” 43 million people – a number which has been confirmed by the Paris prosecutor’s office. Just that ! “Following a cyberattack of which we were victims with Cap emploi, personal information concerning you may be disclosed. Your banking information is not affected. We are sorry for this incident and we invite you to remain vigilant”, can we read on its websiteeven several days after the announcement.
The three men were taken into custody and charged with “fraudulent access and maintenance in an automated data processing system, extraction of this data, scams and money launderingt“. The prosecution specifies that “each of these offenses being aggravated by the circumstance of organized gangs”.
As Laure Beccuau, the Paris prosecutor, explains, the investigation was first able to confirm that the attack was based entirely on “Cap Emploi agent accounts, authorized to access the resources present on the France Travail information system” . Authorities were able to identify the three suspects using “technical and telephone investigations”. A search of their homes and an analysis of the computer equipment then revealed that they were engaged in “a fraudulent activity using the phishing technique”. However, BL2C is not going to stop its research. She is now looking for possible other actors involved in the hacking of France Travail and seeks to determine precisely the role that each played in the operation.
Hacking France Travail: a problem with data security and conservation?
As a reminder, the attack took place between February 6 and March 5 – a vast period of one month – but it was only detected in the week of March 11, following “suspicious requests” in the database. Personal information “people previously registered over the last twenty years as well as people not registered on the list of job seekers, but having a candidate space on francetravail.fr are likely to be disclosed and exploited illegally”, explains the job search agency. The first and last names, social security numbers, dates of birth, France Travail identifiers, email and postal addresses, and telephone numbers were stolen. However, the passwords and banking details were not leaked.
One annoying point, however: the retention period of personal data, which can, in this specific case, go up to twenty years. This is unusual to say the least, especially if we take into account the General Data Protection Regulation (GDPR), which provides for the deletion of inactive personal data after three years! However, this duration is in the detailing document France Travail’s policy and framework for personal data protection – even if, let’s be honest, no one reads it. “For people registered on the list of jobseekers, personal spaces and data are kept for a maximum period of twenty years after the cessation of registration on the list of jobseekers”, we can read. France Travail then refers to the law, citing the Labor Code (R.5312-44). Why such a lapse of time? Quite simply to allow job seekers to reconstruct their career over time, to assert their rights. To reconstruct someone’s professional career, you need to be able to keep different elements over a long period. This can in particular be useful to assert his right to retire, by recovering elements linked to his period of unemployment, which he would not necessarily have kept. On the other hand, for people who are not registered on the list of job seekers, personal spaces are deleted thirteen months after the last connection.
Another annoying point: data security. Indeed, this hold-up was made possible by a “simple” impersonation of advisors from Cap Emploi, the organization in charge of job searches for disabled people, as reported The world. No cutting-edge cyberattack therefore, but simply an action which certainly only required phishing… A hack which highlights insufficient, or even absent, compartmentalization which would make it possible to avoid too broad consultation of data or massive operations on it by malicious people. At the current stage of the investigation, the prosecution has not revealed how it is possible that so much data could have been exfiltrated by simple advisor accounts, without triggering the slightest alert.
Hacking France Travail: one more cyberattack
A preliminary investigation was opened by the Paris Prosecutor’s Office and entrusted to the Cybercrime Brigade of the Paris Judicial Police Department, which set up a simplified complaints system for those affected. In accordance with the law, France Travail filed a complaint and notified the National Commission for Information Technology and Liberties (CNIL). All people affected by the cyberattack will of course be contacted. Support is also available through the 39 49 telephone platform to assist those who have questions on this subject. Finally, France Travail has made available to those who have been affected a simplified form to allow them to file a complaint directly online.
For her part, the president of the CNIL, Marie-Laure Denis, decided “to carry out investigations very quickly in order to determine in particular whether the security measures implemented prior to the incident and in response to it were appropriate with regard to the obligations of the General Data Protection Regulation (GDPR)”. If you are a person concerned, the Commission advises you:
- to be particularly vigilant regarding messages (SMS, emails) that you may receive, particularly if they invite you to carry out an emergency action, such as a payment;
- never communicate your passwords or banking details by email;
- not to open attachments if in doubt and not to click on links contained in messages that invite you to connect to a personal space;
- to periodically check the activities and movements on your various accounts;
- to go to the site cybermalveillance.gouv.fr for advice on how to protect yourself from actions aimed at stealing your identity;
- to ensure that you use sufficiently strong passwords for your email, bank accounts and other important services (taxes, e-commerce sites, etc.).
This is not the first time that Pôle emploi has been the victim of a data leak. Already in June 2021, the site had been stripped of 1.2 million personal data concerning no less than 120,000 people. Worse, last summer, a cyberattack against one of Pôle emploi’s service providers resulted in the sale of the personal data of more than 10 million job seekers (see our article).