The French data protection authority, the National Commission for Information Technology and Civil Liberties (CNIL), is concerned about the increasing number of personal data security breaches across the country. Beyond this notable increase, the most worrying trend is that of a resurgence in very large-scale breaches. The number of breaches affecting more than a million people has thus doubled in one year, going from around twenty to around forty successful attacks. This trend continued at an accelerated pace in the first quarter of 2025, with 2,500 data breaches recorded by the CNIL during this period.
2024, a year marked by data breaches of unprecedented scale
The year 2024 was marked by numerous cyberattacks that resulted in the disclosure of private information on millions of French people, such as names, postal addresses or emails, and sometimes banking data. All sectors of activity, private and public, are affected. Among the notable victims in 2024, we recall France Travail, Free, the third-party payment operators Viamedis and Almerys, Auchan, Molotov, Truffaut, Cultura, Boulanger, SFR and the Retirement Insurance. The beginning of 2025 saw other brands affected, such as La Poste, Chronopost, Kiabi, Indigo, Easy Cash and Alain Afflelou.
According to information collected by the CNIL following the breaches or during inspections, the attackers' modus operandi are often similar and regularly exploit the same vulnerabilities. The CNIL identifies three main ones:
- the login information used for the attack had been compromised;
- the intrusions and exfiltrations were not detected by the organization before the datasets were put on sale;
- a significant proportion of the incidents involved a subcontractor.
Of the 5,629 breaches reported in 2024, 55% resulted from direct IT attacks (such as ransomware or phishing), while 20% resulted from internal human errors. For Marie-Laure Denis, the president of the CNIL, large databases "are not sufficiently protected". She mentions "failures" and asserts that the real question is not whether a cyberattack will occur, but rather when. The president also highlights the impact of teleworking, emphasizing that vulnerabilities related to remote access have not been sufficiently addressed since the health crisis.
Faced with this alarming phenomenon, the CNIL is issuing recommendations to individuals and businesses to protect themselves. The Commission emphasizes the need to adopt security measures proportionate to the identified risks. Among the essential basic measures, the CNIL cites in particular "carrying out updates without delay, in order to avoid the exploitation of a security vulnerability" and "adopting sufficiently strong passwords, different for each account." It also recommends "performing periodic user awareness campaigns to include humans as security actors" and "protecting access to messaging so that it does not serve as an entry point for an attack". Finally, it emphasizes the importance of "performing regular backups, including a disconnected one, to be able to recover healthy data".
The CNIL wants to impose two-factor authentication
The CNIL also emphasizes more sophisticated technical measures, recommended in collaboration with ANSSI, which can significantly raise the level of security. According to Marie-Laure Denis, more than "80% of major data breaches" recorded in 2024 could have been avoided with a relatively simple precaution: two-factor authentication (or double authentication).
For this reason, the CNIL will publish a recommendation this week to require two-factor authentication from 2026. Employees, partners, or subcontractors connecting remotely to a very large database (of several million people) will be required to provide a second identification factor in addition to their password.
The year 2024 was also marked by the CNIL's enforcement activity, which imposed more than €55 million in fines on companies through 87 separate sanctions. The number of sanctions more than doubled in one year. This intense enforcement activity partly responds to increased demand, as the CNIL received 17,772 complaints in 2024, 8% more than in 2023, and processed more than 15,000 (the only exception being the series of 2,423 complaints relating to the Free data breach, the authority indicates). Moreover, more than half of the cases resulting in a sanction in 2024 originated from a complaint. The sanctions targeted security shortcomings, such as the use of insecure passwords or outdated protocols.
Annual report: the CNIL's results and key actions in 2024 (PDF)
0 Comments