FREE MOBILE and FREE Hit with €42 Million in GDPR Fines Over Massive Data Breach
On 13 January 2026, France’s data protection authority, the CNIL, imposed €42 million in fines on telecom operators FREE MOBILE (€27 million) and FREE (€15 million) for failing to secure subscriber data, following a 2024 cyberattack that exposed sensitive information of 24 million customers.
The breach, discovered in October 2024, allowed an attacker to infiltrate the companies’ systems and access personal data, including IBANs, from millions of subscriber contracts. Over 2,500 complaints prompted a CNIL investigation, which uncovered multiple GDPR violations, including inadequate security measures, delayed breach notifications, and excessive data retention.
Key Failures Identified by CNIL
-
Weak Security Measures (Article 32 GDPR)
- The companies lacked basic protections, such as robust VPN authentication and effective anomaly detection, making the attack easier to execute.
- While FREE MOBILE and FREE later strengthened security, the CNIL ordered them to complete these measures within three months.
-
Incomplete Breach Notifications (Article 34 GDPR)
- Affected customers received two-tiered communications an email and a toll-free number but the initial email omitted critical details, leaving victims unaware of the full risks and protective steps.
-
Excessive Data Retention (Article 5-1-e GDPR – FREE MOBILE Only)
- FREE MOBILE failed to purge outdated subscriber data, retaining millions of records without legal justification. The CNIL ordered the company to complete data sorting and deletion within six months.
Impact and CNIL’s Rationale
The fines reflect the scale of the breach, the sensitivity of exposed data (IBANs), and the companies’ financial capacity. The CNIL emphasized that while no security is foolproof, FREE MOBILE and FREE’s lack of fundamental safeguards unnecessarily increased risks for millions of users. Both companies have since begun remediation efforts, though the CNIL’s deadlines remain in effect.
Source: https://www.cnil.fr/en/sanction-free-2026
FREE TPRM report: https://www.rankiteo.com/company/freedom-health
FREE MOBILE TPRM report: https://www.rankiteo.com/company/freedom-health
"id": "frefre1768394235",
"linkid": "freedom-health, freedom-health",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '24 million subscriber contracts',
'industry': 'Telecom',
'location': 'France',
'name': 'FREE MOBILE',
'type': 'Telecommunications'},
{'customers_affected': '24 million subscriber contracts',
'industry': 'Telecom',
'location': 'France',
'name': 'FREE',
'type': 'Internet Service Provider'}],
'attack_vector': 'VPN Infiltration',
'customer_advisories': 'Two-level communication (email, toll-free number, '
'internal DPO system)',
'data_breach': {'number_of_records_exposed': '24 million subscriber contracts',
'personally_identifiable_information': 'Yes (names, contract '
'details, IBANs)',
'sensitivity_of_data': 'High (IBANs, personal data)',
'type_of_data_compromised': 'Personal data, IBANs'},
'date_detected': '2024-10-01',
'date_publicly_disclosed': '2026-01-14',
'description': 'On 13th January 2026, the CNIL issued two sanction decisions '
'against FREE MOBILE and FREE, imposing fines of €27 million '
'and €15 million respectively, due to inadequacy of measures '
"taken to ensure the security of their subscribers' data. An "
"attacker infiltrated the companies' information system in "
'October 2024, accessing personal data relating to 24 million '
'subscriber contracts, including IBANs.',
'impact': {'brand_reputation_impact': 'High (due to regulatory sanctions and '
'public disclosure)',
'customer_complaints': '2500+ complaints',
'data_compromised': 'Personal data of 24 million subscriber '
'contracts, including IBANs',
'financial_loss': '€42 million (€27M FREE MOBILE, €15M FREE)',
'identity_theft_risk': 'High (IBANs exposed)',
'legal_liabilities': 'GDPR violations, fines imposed by CNIL',
'payment_information_risk': 'High (IBANs exposed)',
'systems_affected': 'Information systems of FREE MOBILE and FREE'},
'initial_access_broker': {'entry_point': 'VPN'},
'investigation_status': 'Completed (CNIL investigation)',
'lessons_learned': 'Basic security measures (e.g., robust VPN authentication, '
'effective monitoring) are critical to reducing the '
'probability and severity of data breaches. Proper data '
'retention policies must be enforced to comply with GDPR.',
'post_incident_analysis': {'corrective_actions': 'Strengthened VPN '
'authentication, enhanced '
'monitoring, data sorting '
'and purging, improved '
'breach notification '
'communication',
'root_causes': 'Inadequate VPN authentication, '
'ineffective abnormal behavior '
'detection, lack of data retention '
'policies'},
'recommendations': 'Implement robust VPN authentication, enhance monitoring '
'for abnormal behavior, enforce data retention policies, '
'and ensure clear communication to affected individuals in '
'case of a breach.',
'references': [{'date_accessed': '2026-01-14', 'source': 'CNIL'}],
'regulatory_compliance': {'fines_imposed': '€42 million (€27M FREE MOBILE, '
'€15M FREE)',
'legal_actions': 'Sanction decisions by CNIL',
'regulations_violated': ['GDPR Article 32 (Security '
'of personal data)',
'GDPR Article 34 (Data '
'breach notification)',
'GDPR Article 5-1-e (Data '
'retention)'],
'regulatory_notifications': 'CNIL inspection and '
'proceedings'},
'response': {'communication_strategy': 'Two-level communication (email, '
'toll-free number, internal DPO '
'system)',
'enhanced_monitoring': 'Implemented post-incident',
'remediation_measures': 'Strengthened security measures (VPN '
'authentication, abnormal behavior '
'detection)'},
'title': 'Data breach: FREE MOBILE and FREE fined €42 million',
'type': 'Data Breach',
'vulnerability_exploited': 'Insufficient VPN authentication, ineffective '
'abnormal behavior detection'}