France’s data protection authority, the CNIL, has imposed a combined €42 million fine on Free Mobile and its parent company Free SAS for failing to implement adequate security measures that led to a large-scale data breach in October 2024.
The breach exposed sensitive customer data linked to 24 million subscribers.
The penalties, €27 million for Free Mobile and €15 million for Free, were issued yesterday, following an extensive investigation triggered by over 2,500 complaints from affected individuals. According to the CNIL, the sanctions reflect the companies’ financial capacity, the highly sensitive nature of the leaked data, the scale of the breach, and the insufficient mitigation measures in place.
The incident traces back to October 17, 2024, when a threat actor known as “drussellx” posted on BreachForums offering 43.6 GB of allegedly stolen data from Free’s infrastructure. This dataset included user credentials, personal identification details, and bank information such as IBAN and BIC numbers, particularly for customers subscribed to both Freebox and Free Mobile services. The breach reportedly affected over 19 million individuals, with the attacker also releasing a sample to demonstrate the data's authenticity.
Free SAS is a leading telecommunications provider in France, operating Freebox for broadband and Free Mobile for cellular services. With millions of customers relying on its infrastructure, the scale of this breach raised serious concerns regarding the company’s ability to safeguard personal and financial data. While Free did not initially confirm the incident, CNIL’s enforcement action effectively validates its occurrence and details its extent.
According to the CNIL’s report, the companies were found in violation of several core provisions of the EU General Data Protection Regulation (GDPR):
Failure to Ensure Data Security (Article 32 GDPR):
CNIL’s inspection revealed that both Free Mobile and Free operated with inadequate baseline protections. In particular, their VPN systems, used to enable remote employee access, lacked robust authentication mechanisms, leaving them vulnerable to unauthorized access. Additionally, internal monitoring tools were ineffective at detecting suspicious behavior within the information systems.
Insufficient Communication to Affected Individuals (Article 34 GDPR):
While the companies notified users via email and established a helpline, CNIL determined that these notices lacked critical details. The omission of clear explanations regarding the consequences of the breach and recommended self-protection steps left customers unable to fully understand or react to the risk.
Excessive Retention of Personal Data (Article 5(1)(e) GDPR):
Free Mobile was also penalized for storing customer data beyond reasonable limits without justification. The investigation found that data belonging to former subscribers had been retained for years without any filtering or purpose limitation. Although Free Mobile began data purging during the regulatory procedure, CNIL mandated the full completion of this process within six months.
The CNIL acknowledged that both companies had initiated improvements to their cybersecurity posture during the investigation, including stronger security protocols and better internal auditing. Nevertheless, regulators emphasized that these reactive steps did not mitigate the long-standing compliance failures that led to the breach.
Leave a Reply