French Telecom Giants Fined $42 Million Over Massive Data Breach
France’s data protection authority, CNIL, has imposed a combined €42 million ($42 million) fine on telecom providers Free SAS and Free Mobile for cybersecurity failures that led to a major data breach in October 2024. The incident exposed sensitive personal data including international bank account numbers of 24 million subscribers across both companies, which are subsidiaries of Groupe Iliad.
CNIL’s investigation found multiple GDPR violations, including inadequate security measures such as weak VPN authentication and a lack of systems to detect unusual activity. The regulator also criticized the companies for failing to provide affected customers with clear information about the breach’s impact or protective steps, as required by GDPR. Additionally, Free Mobile was found to have retained former subscribers’ data unnecessarily, increasing exposure risks.
The fines €27 million ($31 million) for Free and €15 million ($17 million) for Free SAS reflect the severity of the breach, the companies’ substantial profits, and their alleged "lack of knowledge of essential security principles." While CNIL acknowledged that both firms have since taken corrective actions, they remain under orders to further strengthen their security protocols. Groupe Iliad has not yet responded to requests for comment.
Source: https://therecord.media/france-data-regulator-fine
Free Mobile TPRM report: https://www.rankiteo.com/company/freelance-writer-editor-and-proofreader
"id": "fre1768415425",
"linkid": "freelance-writer-editor-and-proofreader",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '24 million subscribers',
'industry': 'Telecommunications',
'location': 'France',
'name': 'Free SAS',
'size': 'Large (subsidiary of Groupe Iliad)',
'type': 'Telecommunications provider'},
{'customers_affected': '24 million subscribers '
'(including former subscribers)',
'industry': 'Telecommunications',
'location': 'France',
'name': 'Free Mobile',
'size': 'Large (subsidiary of Groupe Iliad)',
'type': 'Mobile network operator'}],
'attack_vector': 'Weak VPN authentication, lack of unusual activity detection',
'customer_advisories': 'Inadequate information provided to customers about '
'the breach and protective measures',
'data_breach': {'number_of_records_exposed': '24 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (bank account numbers, '
'personally identifiable information)',
'type_of_data_compromised': ['Personal data',
'International bank account '
'numbers']},
'date_detected': '2024-10',
'date_publicly_disclosed': '2024-10',
'description': 'A hacker penetrated the information systems at France’s Free '
'SAS and sister company Free Mobile, accessing personal data, '
'including international bank account numbers, for 24 million '
'subscribers. The data protection regulator CNIL fined the '
'companies €42 million ($47 million) for GDPR violations and '
'inadequate security measures.',
'impact': {'brand_reputation_impact': 'Likely significant due to GDPR '
'violations and public disclosure',
'data_compromised': 'Personal data, including international bank '
'account numbers',
'financial_loss': '$42 million (€42 million in fines)',
'identity_theft_risk': 'High (bank account numbers and personal '
'data exposed)',
'legal_liabilities': 'GDPR fines imposed',
'payment_information_risk': 'High (international bank account '
'numbers exposed)',
'systems_affected': 'Information systems of Free SAS and Free '
'Mobile'},
'initial_access_broker': {'entry_point': 'Weak VPN authentication'},
'investigation_status': 'Completed (CNIL investigation)',
'lessons_learned': 'Inadequate security measures, including weak VPN '
'authentication and lack of monitoring, can lead to severe '
'data breaches and regulatory penalties. Proper breach '
'notification is critical to comply with GDPR.',
'post_incident_analysis': {'corrective_actions': 'Improved security measures '
'and ongoing efforts to '
'strengthen cybersecurity '
'posture',
'root_causes': ['Weak VPN authentication '
'procedures',
'Lack of effective monitoring for '
'unusual activity',
'Retention of unnecessary customer '
'data (former subscribers)',
'Inadequate breach notification to '
'customers']},
'recommendations': ['Implement strong authentication procedures for VPNs',
'Enhance monitoring for unusual activity on information '
'systems',
'Improve breach notification processes to ensure '
'customers understand risks and protective measures',
'Avoid retaining unnecessary customer data, especially '
'for former subscribers',
'Continue strengthening security measures post-incident'],
'references': [{'source': 'CNIL Press Release'}],
'regulatory_compliance': {'fines_imposed': '€42 million ($47 million)',
'regulations_violated': ['GDPR'],
'regulatory_notifications': 'CNIL investigation and '
'fines'},
'response': {'communication_strategy': 'Inadequate breach notification to '
'customers',
'enhanced_monitoring': 'Implemented post-incident',
'remediation_measures': 'Improved security measures '
'post-investigation'},
'title': 'Massive Data Breach at Free SAS and Free Mobile',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadequate security measures, weak authentication '
'procedures, lack of effective monitoring'}