Pôle emploi, the French governmental agency responsible for unemployment registration and financial aid, has reported a data breach that exposed the personal information of approximately 10 million individuals. The agency stated, “Pôle emploi became aware of the violation of the information system of one of its providers involving a risk of disclosure of personal data of job seekers.” Those registered in February 2022, as well as former users of the job center, are potentially affected by this data theft. The breach was highlighted by a report from Le Parisien, which estimated the number of impacted individuals to be around 10 million. This figure is based on the 6 million people who had registered at one of Pôle emploi's 900 job centers by February 2022, and an additional 4 million who had registered in the previous 12 months but whose data had not been deleted from the agency's systems yet.
Details of the Exposed Data
The compromised data includes full names and social security numbers. Fortunately, email addresses, phone numbers, passwords, and banking data were not affected by this breach. Despite the limited utility of the exposed data for cybercriminal activities, Pôle emploi has advised registered job seekers to exercise caution with incoming communications. The agency has also established a dedicated phone support line to address concerns and queries related to the incident. Pôle emploi has emphasized that the breach does not affect its financial aid programs and has assured job seekers that they can securely access the online employment portal.
The MOVEit Connection
Responsible for the hack seems to be a vulnerability in MOVEit, a managed file transfer software developed by Ipswitch, Inc., that allows attackers to steal files from organizations through SQL injection on public-facing servers. The transfers are facilitated through a custom web shell identified as LemurLoot.
The data leak was attributed to a service provider, with security firm Emsisoft listing Pôle emploi on its MOVEit page. The cybersecurity company confirmed the impact on 10 million individuals. The Clop ransomware gang, responsible for the extensive MOVEit hacking spree, has not yet listed the French agency on its extortion site. Previously, the threat actors stated they would not disclose information from breaches in government agencies, leaving the reason for the omission unclear. MOVEit deployed a patch on May 31, the same day the vulnerability was reported.
Wider Impact of MOVEit Hack
The MOVEit hack has affected nearly 1,000 organizations and approximately 60 million individuals globally. This includes both direct and indirect impacts. As of August 24, Emsisoft was aware of 988 victims and roughly 59.2 million individuals. The list of organizations that have reported significant data exposure includes Maximus, Pôle Emploi, Louisiana Office of Motor Vehicles, Colorado Department of Health Care Policy and Financing, Oregon Department of Transportation, and several others. The Cl0p ransomware group, believed to be Russian-speaking, is behind this massive campaign.
Financial Firms Face Lawsuits
Financial firms affected by the MOVEit file-sharing software attack are now facing lawsuits. One such lawsuit against Prudential demands the company to provide 10 years of identity theft monitoring service, arguing that stolen Social Security numbers cannot be replaced. As of now, 998 organizations have been identified as victims of the MOVEit attacks. The Clop group targeted a zero-day flaw in MOVEit servers, which allowed them to access all stored data.