---
url: 'https://www.corbado.com/blog/data-breaches-france'
title: '10 Biggest Data Breaches in France [2026]'
description: 'Discover the 10 biggest data breaches in France. From France Travail to Cegedim. CNIL fines, reporting rules and prevention methods explained.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-04-21T08:56:51.620Z'
lastModified: '2026-04-21T16:04:00.462Z'
keywords: 'data breach France, GDPR fines France, cyber attack France, data breach notification France, France Travail data breach, biggest data breach France 2026, hacked French companies, largest data breach France 2026'
category: 'Passkeys Strategy'
---
# 10 Biggest Data Breaches in France [2026]
## Key Facts
- The **France Travail breach** (March 2024) exposed the personal data of up to **43
million** job seekers, making it the largest data breach in French history. The CNIL
fined France Travail **5 million euros** in January 2026 under GDPR Article 32, where
the maximum fine for a public body is 10 million euros.
- Between 2024 and 2025, more than **145 million records** belonging to French citizens
were exposed across public services, healthcare, telecom and retail, equivalent to
multiple breaches per French resident.
- Three of the four major French telcos (Free, Bouygues Telecom, SFR) confirmed data
breaches in 2024-2025, with Free and Bouygues Telecom alone exposing IBANs of more
than **11 million subscribers** combined.
- The CNIL issued record combined fines of **42 million euros against Free Mobile (27M)
and Free (15M)** on 13 January 2026, signaling a move from warnings to punitive
enforcement.
- French controllers must report personal data breaches to the **CNIL within 72 hours**
under GDPR Article 33. Operators of vital importance (OIV) and essential services
(OSE) additionally notify **ANSSI**; the transposition of NIS2 into French law was
still ongoing in 2026.
## 1. Introduction
France has become one of the most breached jurisdictions in Europe. Between 2024 and
2025, more than **145 million records** belonging to French citizens were exposed across
public services, healthcare, telecom and retail, meaning statistically **every French
resident has been part of multiple breaches**. According to the
[CNIL](https://www.cnil.fr/en), over 5,600 breach notifications were received in 2024, a
new all-time high.
This article lists the 10 most significant data breaches in recent French history, from
the 43 million records exposed in the France Travail incident to the Cegedim Santé
health software leak, alongside CNIL reporting rules, fines and prevention patterns
that apply to any organization operating in France.
## 2. Why is France an Attractive Target for Data Breaches?
France's highly digitized public sector, its dense healthcare payment ecosystem and
three major telecom operators each holding tens of millions of subscriber records
combine to produce an outsized attack surface. Add chronic underinvestment in
cybersecurity relative to peer countries and social engineering targeting front-line
advisers, and the result is the record-breaking series of breaches France experienced in
2024-2026.
### 2.1 Highly Digitized Public Sector
France has one of the most advanced e-government stacks in Europe. FranceConnect, the
national identity federation, routes access to tax, healthcare, employment and family
benefits. A single compromised adviser account can therefore expose records spanning
decades, as seen with France Travail, Pass'Sport and OFII. The public sector holds
citizen data from cradle to grave, creating a concentration of sensitive records
unmatched in scale.
### 2.2 Dense Ecosystem of Third-Party Processors
French health insurance relies on a small number of "tiers payant" platforms (Viamedis,
Almerys, Cegedim) that process data for dozens of mutuelles. One intrusion therefore
propagates to tens of millions of policyholders. The same pattern is visible in telecom
(Bouygues Telecom's 2025 breach via a third-party supplier) and in e-commerce. Even
organizations with mature internal security programs remain exposed through their vendor
networks.
### 2.3 Chronic Underinvestment in Cybersecurity
Independent analyses such as
[Edouard.ai](https://edouard.ai/blog/france-data-leaks-2025-bouygues-passsport-impots)
estimate France's public cybersecurity spending at roughly **0.03% of GDP** (an
estimate, not an official figure), noticeably lower than peer European countries.
Average CNIL fines historically remained below EU peers, reducing the financial
deterrent for lax security, a gap the regulator is now closing with record sanctions
against Free Mobile, France Travail and others.
### 2.4 Social Engineering and MFA Gaps
Several of the biggest French incidents (France Travail, Viamedis, Free) started with
[phishing](https://www.corbado.com/glossary/phishing) or account takeovers on adviser or employee portals that
did not enforce phishing-resistant MFA. In every case, attackers targeted **the humans
at the edge** rather than the core infrastructure. The
[FIDO Alliance](https://fidoalliance.org/passkeys/) classifies passkeys as
phishing-resistant by design, since each passkey is bound to the legitimate origin and
cannot be replayed against attacker-controlled sites. French public services and telcos
that have not yet rolled out [passkeys](https://www.corbado.com/glossary/passkey) or hardware-backed
authentication remain exposed to the same attack class.
## 3. 10 Biggest Data Breaches in France
The ten largest French data breaches since 2023 exposed at least **145 million records**
combined and triggered CNIL fines totaling **47 million euros** by January 2026. They
span public services (France Travail, Pass'Sport), healthcare platforms (Viamedis,
Almerys, Cegedim Santé), telecom (Free, Bouygues Telecom) and consumer retail (ManoMano,
Sport 2000). The table below summarizes scope, year and regulatory outcome; detailed
case descriptions and prevention patterns follow.
| # | Company / Entity | Year | Records or Scope | Regulatory Outcome |
| --- | -------------------------------- | ---- | ----------------------------- | ----------------------------- |
| 1 | France Travail | 2024 | Up to 43 million | **5M EUR CNIL fine (2026)** |
| 2 | ManoMano | 2026 | Up to 37.8 million (claimed) | Under review |
| 3 | Viamedis and Almerys | 2024 | 33 million | CNIL investigation ongoing |
| 4 | Free / Free Mobile | 2024 | 24.6 million (5.11M IBANs) | **42M EUR CNIL fine (2026)** |
| 5 | Cegedim Santé (MLM) | 2025 | 15 million | Criminal investigation opened |
| 6 | France Travail (MOVEit) | 2023 | 10 million | No separate CNIL fine |
| 7 | Bouygues Telecom | 2025 | 6.4 million (with IBANs) | CNIL and ANSSI notified |
| 8 | Pass'Sport | 2025 | 6.4 million email addresses | CNIL notified |
| 9 | Sport 2000 | 2024 | 3.2 million | HIBP indexed, CNIL notified |
| 10 | Fédération Française de Football | 2025 | ~2.4 million licensed members | CNIL notified |
### 3.1 France Travail Data Breach (2024)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Date | March 2024 |
| Impacted Customer Number | Up to 43 million |
| Breached Data | - Full names
- Dates and places of birth
- Social security numbers (NIR)
- France Travail IDs
- Email addresses
- Postal addresses
- Phone numbers |
In March 2024, France Travail (formerly Pôle Emploi) and Cap Emploi disclosed what is
now considered the largest [data breach](https://www.corbado.com/glossary/data-breach) in French history.
Attackers used **social engineering** to hijack the accounts of Cap Emploi advisers
(the organization supporting people with disabilities) and accessed data of all
individuals who had been registered over the past 20 years, as well as candidates with a
profile on francetravail.fr. According to the
[CNIL](https://www.cnil.fr/en/data-breach-5million-fine-france-travail), up to 43 million
people may have been affected.
On 22 January 2026, the [CNIL](https://www.cnil.fr/en/data-breach-5million-fine-france-travail)
fined France Travail **5 million euros** under GDPR Article 32, where the statutory
maximum for a public body is 10 million euros. The regulator cited "ignorance of
essential security principles" and ordered corrective measures under a 5,000 euro/day
penalty. This was already France Travail's second breach: in August 2023, a third-party
incident linked to the Cl0p ransomware group exploiting a MOVEit Transfer zero-day had
already exposed the data of 10 million users.
Prevention methods:
- Enforce [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA (passkeys) for all adviser and
administrator accounts accessing bulk citizen data
- Apply bulk-query anomaly detection and strict data retention rules on citizen
databases
### 3.2 ManoMano Data Breach (2026)
| Details | Information |
| ------------------------ | ---------------------------------------------------------------------- |
| Date | February 2026 |
| Impacted Customer Number | Up to 37.8 million (claimed) |
| Breached Data | - Identity data
- Contact details
- Administrative information |
In February 2026, French DIY e-commerce giant ManoMano was named by threat actors in a
data sale referenced across multiple French cybersecurity trackers. The actor claimed to
have compromised **up to 37.8 million customer records**, including identity data,
contact details and administrative information. The scale of the claim is consistent
with the platform's cumulative EU user base rather than active French customers, but the
incident is still one of the highest-volume French-linked data sales ever observed.
The exposure underlines how large consumer marketplaces in France have become equally
attractive to attackers as banks or telcos, particularly when the data can be combined
with prior leaks to build "identity graphs" for fraud.
Prevention methods:
- Continuously monitor underground forums and breach marketplaces for exposed customer
lists and enforce strong API rate limits on customer endpoints
- Minimize retention of historical, low-activity customer profiles
### 3.3 Viamedis and Almerys Data Breach (2024)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Date | January-February 2024 |
| Impacted Customer Number | 33 million |
| Breached Data | - Names
- Dates of birth
- Insurer details
- Social security numbers
- Marital and civil status
- Third-party payment entitlements |
In January and February 2024, Viamedis and Almerys, two French third-party payment
processors for supplementary health [insurance](https://www.corbado.com/passkeys-for-insurance), were breached
in quick succession. The CNIL confirmed that combined, the incidents affected **33
million people, nearly half of France's population**.
The Viamedis intrusion was traced to a **phishing attack** targeting healthcare
professionals, allowing attackers to reuse stolen credentials on the provider portal.
Almerys is suspected to have been hit via a similar healthcare professional portal.
> "It is the first time there has been a violation of this magnitude."
> — Yann Padova, former CNIL Secretary-General (2024)
Prevention methods:
- Deploy phishing-resistant MFA (passkeys) for every healthcare professional accessing
insured-member data
- Segment tiers-payant platforms so that one compromised portal cannot expose the entire
national database
### 3.4 Free Data Breach (2024)
| Details | Information |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
| Date | October 2024 |
| Impacted Customer Number | 24.6 million contracts (19.46M Free Mobile + 5.17M Free), including 5.11M IBANs |
| Breached Data | - Full names
- Email addresses
- Dates of birth
- Postal addresses
- Phone numbers
- 5.11 million IBANs (Free only) |
In October 2024, Free (France's second-largest ISP and a subsidiary of the Iliad
group) confirmed that attackers had compromised an internal management tool and
exfiltrated data on **19.46 million Free Mobile and 5.17 million Freebox contracts**,
including the **IBANs of all 5.11 million Freebox customers**. The data was quickly
auctioned on BreachForums by a threat actor known as "drussellx", with the final bid
reaching 175,000 euros.
Free emphasized that passwords, payment card data and communications content were not
affected, but the combination of IBAN, full name and date of birth is sufficient for
direct-debit fraud and high-quality [phishing](https://www.corbado.com/glossary/phishing). On 13 January 2026,
the [CNIL sanctioned Free Mobile 27 million euros and Free 15 million euros](https://www.cnil.fr/en)
(42 million euros in total) for inadequate security around subscriber data, one of the
largest combined GDPR sanctions ever issued in France for a data breach.
Prevention methods:
- Protect privileged internal tools with phishing-resistant MFA and just-in-time access
- Tokenize IBANs and payment identifiers so that subscriber records are not directly
monetizable
### 3.5 Cegedim Santé (MLM) Data Breach (2025)
| Details | Information |
| ------------------------ | ----------------------------------------------------------------------------------------------------------- |
| Date | October 2025 |
| Impacted Customer Number | Approximately 15 million patients |
| Breached Data | - Administrative patient data (surname, first name, gender, etc.)
- 19 million records over 15 years |
In October 2025, attackers breached "MonLogicielMedical.com" (MLM), a medical practice
management software edited by [Cegedim Santé](https://www.cegedim.com/) and used by
thousands of French healthcare professionals. According to the French Ministry of
Health, the incident compromised **administrative data of roughly 15 million French
patients**, spanning up to 15 years of history and 19 million digital record lines.
In its February 2026 clarification, Cegedim Santé stated that the data at issue was
**exclusively administrative** (identity-type information such as surname, first name
and gender), and that structured clinical records, free-text medical comments and
sensitive diagnoses such as HIV status were **not** involved. A criminal investigation
for "breach of an automated data system" was opened on 27 October 2025.
> "Potentially the largest leak in French healthcare history."
> — Gérôme Billois, cybersecurity expert at Wavestone (October 2025)
Prevention methods:
- Enforce strong authentication (passkeys) for every practitioner accessing cloud
medical software
- Apply strict data minimization and segregation between administrative identity data
and clinical records in SaaS medical platforms
### 3.6 France Travail MOVEit Breach (2023)
| Details | Information |
| ------------------------ | ---------------------------------------------------------------- |
| Date | August 2023 |
| Impacted Customer Number | Approximately 10 million |
| Breached Data | - Full names
- Social security numbers
- Contact details |
Before the headline-making 2024 incident, France Travail was already the victim of a
third-party breach linked to the Cl0p ransomware group exploiting a zero-day
vulnerability in the Progress MOVEit Transfer software. The attack exposed the personal
information of roughly **10 million job seekers**, including names, NIRs and contact
details. It was part of the global MOVEit supply-chain wave that affected hundreds of
organizations worldwide and foreshadowed the even larger 2024 breach of the same agency.
Prevention methods:
- Maintain an up-to-date inventory of third-party file-transfer software exposed to the
internet and apply virtual patching for zero-day windows
- Segment file-transfer pipelines from core HR and citizen databases
### 3.7 Bouygues Telecom Data Breach (2025)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------------------------ |
| Date | August 2025 |
| Impacted Customer Number | 6.4 million |
| Breached Data | - Full names
- Postal addresses
- Phone numbers
- Dates of birth
- Contract data
- IBANs |
On 4 August 2025, Bouygues Telecom, one of France's major mobile carriers with around
14.5 million mobile subscribers and a total customer base of roughly 23 million,
detected a cyberattack against a customer management system. Two days later, the
company confirmed that attackers had accessed personal and contractual data for
**6.4 million customers**, including IBANs. Passwords and payment card numbers were
not compromised.
The breach, believed to have originated from a third-party supplier, was reported to
the CNIL and ANSSI. Under [French Code pénal Article 323-1](https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000030939438/),
the attacker faces up to three years of imprisonment for unauthorized access to an
automated data processing system, rising to five years where data is altered or the
system is impaired. Bouygues Telecom itself faces GDPR scrutiny from the CNIL for its
third-party risk management. The incident is part of a broader pattern that also hit
SFR (September 2025, banking details) and Free in 2024-2025.
Prevention methods:
- Treat third-party suppliers as part of the core attack surface and require
phishing-resistant MFA across all connected systems
- Tokenize IBANs and other payment identifiers to limit the value of bulk data theft
### 3.8 Pass'Sport Data Breach (December 2025)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------------- |
| Date | December 2025 |
| Impacted Customer Number | 3.5 million households (6.4 million unique email addresses) |
| Breached Data | - Beneficiary and parent identities
- Contact details
- Administrative information |
Pass'Sport is a French government program run by the Ministry of Sports that provides a
**70 euro subsidy** (previously 50 euros) to eligible young people for sports club
memberships. On the night of 17-18 December 2025, a 15 GB file containing more than
22 million lines of data appeared online. Initial media reports wrongly attributed the
leak to the Caisse d'Allocations Familiales (CAF), which publicly denied any intrusion
into caf.fr. The Ministry of Sports later confirmed that the data originated from the
**Pass'Sport information system**, covering roughly **3.5 million households and
6.4 million unique email addresses** of beneficiaries and their parents or guardians.
The exposed records covered the period from September 2024 to November 2025 and
included full identities, postal addresses, phone numbers and email addresses, but no
banking data or passwords. The dataset is particularly valuable for targeted
[phishing](https://www.corbado.com/glossary/phishing) against families with minors, and a large share has
since been indexed in [Have I Been Pwned](https://haveibeenpwned.com/).
Prevention methods:
- Apply the strictest possible protection to systems processing data of minors,
including mandatory phishing-resistant MFA for administrators
- Minimize the duration for which beneficiary data is retained after program expiry
### 3.9 Sport 2000 Data Breach (2024)
| Details | Information |
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
| Date | April 2024 |
| Impacted Customer Number | 3.2 million unique email addresses (4.4 million records) |
| Breached Data | - Full names
- Email addresses
- Phone numbers
- Postal addresses
- Dates of birth
- Purchase history per store |
In April 2024, French sporting goods retailer **Sport 2000** suffered a data breach
that was later [indexed by Have I Been Pwned](https://haveibeenpwned.com/Breach/Sport2000).
A threat actor operating under the alias "ChatNoir7331" posted a database of **4.4
million rows with 3.2 million unique email addresses** for sale on a hacking forum, and
the dataset was subsequently republished for free in June 2024. The leak included
names, email and postal addresses, phone numbers, dates of birth and detailed purchase
history keyed to specific store locations.
The combination of contact data and per-store purchase history makes the Sport 2000
leak particularly useful for highly targeted phishing ("your recent purchase at Sport
2000 Lyon...") and illustrates how mid-sized French retailers can produce
consumer-scale breaches when marketing databases are poorly segmented.
Prevention methods:
- Segment marketing and transactional databases, and rotate access tokens used by
third-party marketing tools
- Minimize retention of historical purchase data tied to identifiable customers
### 3.10 Fédération Française de Football Data Breach (2025)
| Details | Information |
| ------------------------ | ------------------------------------------------------------------------------------ |
| Date | 2025 |
| Impacted Customer Number | Approximately 2.4 million licensed members |
| Breached Data | - Member identities
- Dates of birth
- Contact details
- Licence numbers |
In 2025, the [Fédération Française de Football (FFF)](https://www.fff.fr/) disclosed a
breach that exposed the personal data of its licensed members. The FFF publishes
roughly **2.38 million licensed members** for the 2023-2024 season. According to the
FFF's own "vol de données" notice, the incident covered identity and contact data
(names, dates of birth, licence numbers and some identity documents) and **explicitly
excluded health data**. The FFF incident was part of a wave that also hit Fédération
Française de Voile, Fédération Française de Gymnastique, Fédération Française de Tir
and others, confirming French sports federations as an attractive target because of
their large, historically-stored datasets and comparatively weak IT security budgets.
Prevention methods:
- Prioritize cybersecurity investment in federations and non-profits that hold decades
of member data
- Remove historical records that are no longer needed to operate licences
## 4. How to Report a Data Breach in France
French controllers must report a personal [data breach](https://www.corbado.com/glossary/data-breach) to the
[CNIL](https://www.cnil.fr/en) within **72 hours** of becoming aware of it, under GDPR
Article 33. If the breach is likely to result in a high risk to affected individuals,
GDPR Article 34 requires notifying them without undue delay. Operators of vital
importance (OIV) and operators of essential services (OSE) additionally notify
[ANSSI](https://www.ssi.gouv.fr/en/); the full transposition of the NIS2 directive into
French law was still ongoing in 2026.
### 4.1 GDPR 72-Hour Rule (Article 33)
Under [GDPR Article 33](https://gdpr-info.eu/art-33-gdpr/), a controller must notify the
CNIL of a personal data breach **not later than 72 hours** after becoming aware of it.
If notification is delayed, the controller must provide reasons for the delay. The
notification must describe the nature of the breach, categories and approximate number
of affected individuals, likely consequences and measures taken or proposed.
### 4.2 Competent Authority: the CNIL
Unlike Germany's 16 state-level DPAs, France has a single national supervisory
authority: the **Commission Nationale de l'Informatique et des Libertés (CNIL)**. The
CNIL enforces GDPR for both public and private sector controllers and has the power to
impose administrative fines of up to 20 million euros or 4% of global annual turnover,
whichever is higher. Recent combined sanctions against Free Mobile and Free (42 million
euros, of which 27 million against Free Mobile) and France Travail (5 million euros)
show that the CNIL has shifted from warnings to punitive enforcement.
### 4.3 ANSSI Reporting for OIV, OSE and NIS2
Operators of vital importance (**OIV**) and operators of essential services (**OSE**)
must additionally report significant cyber incidents to the
[ANSSI](https://www.ssi.gouv.fr/en/), the French national cybersecurity agency. The
[NIS2 directive](https://www.corbado.com/blog/cyber-security-compliance) extends mandatory reporting to more
sectors, including digital service providers, manufacturing and waste management. Its
transposition into French law was still in progress in 2026, and ANSSI has stated it
will communicate throughout the process; the European Commission also issued a reasoned
opinion for incomplete transposition. Once in force, reports will follow a staged
timeline: an **early warning within 24 hours, full notification within 72 hours** and a
final report within one month.
### 4.4 Individual Notification (Article 34)
When a breach is likely to result in a high risk to the rights and freedoms of
individuals, [GDPR Article 34](https://gdpr-info.eu/art-34-gdpr/) requires direct
notification to affected persons in clear and plain language. The France Travail,
Viamedis, Free and Cegedim Santé cases all triggered Article 34 obligations. Failing to
notify is a common trigger for additional regulatory penalties on top of the underlying
breach.
## 5. Trends in French Data Breaches
Four patterns recur across the ten cases: concentration of citizen data in a highly
digitized public sector, third-party and supply-chain compromise as the dominant entry
point, credential stuffing turning French public portals into soft targets and a CNIL
that is rapidly catching up in enforcement. Understanding these patterns is more
actionable than memorizing individual incidents.
### 5.1 Public-Sector Digitization Creates a Nationwide Attack Surface
France Travail, OFII, FICOBA and Pass'Sport show how much citizen data is concentrated
in a few public platforms. One compromised adviser account at Cap Emploi was enough to
expose 43 million records; one leaked Pass'Sport partner integration was enough to
expose 3.5 million households. France's reliance on **FranceConnect** and shared
public-service logins amplifies this risk: a single compromised password tied to a NIR
can unlock multiple public services at once.
### 5.2 Third-Party Vendors are a Critical Weak Link
Viamedis, Almerys, Cegedim Santé, Bouygues Telecom and the 2023 France Travail MOVEit
incident share the same root cause: compromise at a third party, not at the primary
brand. Even organizations with mature internal security programs remain exposed through
their vendor networks. The tiers-payant health insurance model, where a handful of
processors handle data for dozens of mutuelles, is particularly vulnerable to
single-point-of-failure breaches.
### 5.3 Credential Stuffing Turns Public Portals into Soft Targets
[Credential stuffing](https://www.corbado.com/glossary/credential-stuffing) has become the default follow-up
attack after every French breach. In February 2024, the hacking group LulzSec claimed
**up to 600,000 CAF accounts** compromised purely through password reuse, without any
technical breach of caf.fr. A subsequent August 2024 leak exposed 60,369 further CAF
login combos (NIR + password) on a hacking forum. As long as French public services
accept password login, each new breach anywhere in Europe feeds credential stuffing
attacks against them.
### 5.4 CNIL Enforcement is Catching Up
As of January 2026, the CNIL has moved from warnings to punitive enforcement. On 13
January 2026, Free Mobile and Free were jointly fined **42 million euros** (27 million
against Free Mobile and 15 million against Free), and France Travail was fined
**5 million euros** on 22 January 2026 under GDPR Article 32 (the statutory maximum for
a public body is 10 million euros). Historically, average CNIL fines remained well below
GDPR caps.
Combined with the growing body of class-action-style damages claims under Article 82,
France has moved into the same enforcement tier as Germany, the Netherlands and Ireland.
## 6. Conclusion
France's ten biggest recent breaches tell a consistent story: credentials and
third-party access are the common denominators. France Travail's social-engineered
adviser accounts, Viamedis' phished healthcare professionals, Free's compromised
internal tool, Pass'Sport's leaked partner integration and Bouygues Telecom's
third-party supplier all trace back to the same underlying weakness: humans and vendors
authenticating with passwords against systems that hold decades of citizen data.
The countermeasures are equally consistent: phishing-resistant authentication like
[passkeys](https://www.corbado.com/glossary/passkey), strict third-party access governance, continuous
dark-web monitoring and 72-hour CNIL notification readiness. With the CNIL now issuing
eight- and nine-figure fines, French organizations that treat these as board-level
priorities in 2026 will avoid both the regulatory penalties and the reputational damage
that defined the last three years of French breaches.
## Frequently Asked Questions
### What was the France Travail data breach in 2024?
In March 2024, France Travail (formerly Pôle Emploi) and Cap Emploi disclosed the
largest data breach in French history. Attackers used social engineering to hijack Cap
Emploi adviser accounts and exfiltrated personal data of up to 43 million job seekers
over the past 20 years, including names, dates of birth, social security numbers, France
Travail IDs and contact details. On 22 January 2026, the CNIL fined France Travail 5
million euros under GDPR Article 32, where the statutory maximum for a public body is
10 million euros.
### How do you report a data breach in France?
Under GDPR Article 33, French controllers must notify the CNIL within 72 hours of
becoming aware of a personal data breach. If the breach is likely to result in high risk
to affected individuals, Article 34 requires notifying them without undue delay.
Operators of vital importance (OIV) and operators of essential services (OSE) notify
ANSSI under existing French law; the full transposition of the NIS2 directive into
French law was still ongoing in 2026.
### What is the largest CNIL fine ever issued after a data breach in France?
On 13 January 2026, the CNIL jointly fined Free Mobile 27 million euros and Free 15
million euros (42 million euros combined) for inadequate security that contributed to
a 2024 breach exposing 24.6 million contracts, including 5.11 million IBANs. This is
one of the largest combined GDPR sanctions ever issued in France for a data breach.
France Travail was fined 5 million euros on 22 January 2026 under Article 32.
### Why has France become such a prime target for data breaches?
France combines a highly digitized public sector (France Travail, CAF, DGFiP, OFII), a
dense healthcare payment ecosystem (Viamedis, Almerys, Cegedim) and three major telecom
operators that each hold tens of millions of subscriber records. Chronic underinvestment
in cybersecurity relative to GDP, heavy reliance on third-party platforms and social
engineering attacks against public-facing advisers explain why more than 145 million
French records have been exposed between 2024 and 2025.
### How do French data breaches fuel credential stuffing attacks?
Breaches expose email addresses, social security numbers and often passwords that get
traded on dark web forums. Attackers replay these credentials against banks, public
services and retailers, exploiting password reuse. The February 2024 CAF incident
compromised up to 600,000 accounts purely through credential stuffing, without any
technical breach of caf.fr, demonstrating how French breaches keep fueling attacks long
after disclosure.