Pajemploi, the French social security service for parents and home-based childcare providers, said a cyberattack detected on November 14 could have exposed personal data for as many as 1.2 million employees of private employers who use the service. The agency set out the incident in an announcement.
The incident affects registered professional caregivers working for private employers, typically parents using the Pajemploi service as part of URSSAF. Pajemploi said the data potentially exfiltrated included full names, places of birth, postal addresses, social security numbers, the name of the banking institution used, Pajemploi numbers and accreditation numbers.
Pajemploi said the attackers did not obtain bank account numbers (IBANs), email addresses, phone numbers or account passwords. The agency said it took immediate action to stop the attack, protect its information systems and will notify each person affected individually. It also informed the French Data Protection Authority (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
URSSAF warned of an elevated risk of fraudulent emails, SMS or phone calls using the stolen information and recommends that people exercise extra caution in responding to unsolicited contacts and requests for personal information.
At publishing time no ransomware group had claimed responsibility. The notice follows other recent incidents in France, including a March 2024 breach at the unemployment agency that exposed 43 million people and a November 13 network breach at Eurofiber France in which customer data was stolen.
Pajemploi did not provide further technical details such as the attack vector or whether files were published or sold.