French Telecom Giants Fined €42M After Massive GDPR Breach Affecting 24 Million
French telecom operators Free and Free Mobile, subsidiaries of Iliad Group, have been hit with a €42 million ($48.8 million) fine by France’s data protection authority, CNIL, for GDPR violations linked to a major October 2024 data breach. The incident exposed the personal and financial data of over 24 million individuals, including IBANs and other sensitive information.
The attack began on September 28, 2024, when threat actors infiltrated the companies’ systems via a vulnerable VPN and exploited a flaw in the MOBO subscriber management tool. The breach compromised 19.5 million Free Mobile contracts and 5.2 million Free fixed-line contracts, making it one of the largest cybersecurity incidents in France this year.
CNIL’s investigation revealed critical security failures, including weak VPN authentication, inadequate anomaly detection, and poor data retention policies. The regulator also criticized the companies for delayed and insufficient breach notifications, further violating GDPR requirements.
The fine underscores the growing scrutiny on telecom providers over data protection compliance, particularly as cyberattacks targeting customer databases intensify.
Source: https://www.scworld.com/brief/french-telecoms-fined-e42-million-for-major-gdpr-data-breach
Freedom Mobile cybersecurity rating report: https://www.rankiteo.com/company/freedom-mobile
"id": "FRE1768502410",
"linkid": "freedom-mobile",
"type": "Breach",
"date": "9/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5,172,577 contracts',
'industry': 'Telecommunications',
'location': 'France',
'name': 'Free',
'type': 'Telecom'},
{'customers_affected': '19,460,891 contracts',
'industry': 'Telecommunications',
'location': 'France',
'name': 'Free Mobile',
'type': 'Telecom'}],
'attack_vector': 'VPN Exploitation',
'data_breach': {'number_of_records_exposed': '24,633,468',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal data',
'Financial information (IBANs)']},
'date_detected': '2024-10',
'description': 'French telecom companies Free and Free Mobile were fined €42 '
'million by the CNIL for GDPR violations following a data '
'breach that compromised the personal data of over 24 million '
'individuals, including sensitive financial information like '
'IBANs.',
'impact': {'brand_reputation_impact': 'Likely significant',
'data_compromised': 'Personal data, IBANs',
'financial_loss': '€42 million (fines)',
'identity_theft_risk': 'High',
'legal_liabilities': 'GDPR violations',
'payment_information_risk': 'High',
'systems_affected': 'MOBO subscriber management tool, VPN'},
'initial_access_broker': {'entry_point': 'VPN'},
'post_incident_analysis': {'root_causes': ['Inadequate VPN authentication',
'Ineffective systems for detecting '
'abnormal activity',
'Insufficient data retention '
'policies',
'Poor breach notification '
'procedures']},
'references': [{'source': 'The Register'}],
'regulatory_compliance': {'fines_imposed': '€42 million',
'regulations_violated': 'GDPR'},
'title': 'Data Breach at Free and Free Mobile',
'type': 'Data Breach',
'vulnerability_exploited': 'Vulnerability in MOBO subscriber management tool'}