Free Mobile and Free: French regulator fines Free and Free Mobile €42 million

French Telecom Giants Fined €42 Million Over Massive Data Breach

France’s data protection authority, CNIL, has imposed a combined €42 million fine on telecom operators Free and Free Mobile following a October 2024 cyberattack that compromised the personal data of 24 million subscribers. The breach exposed sensitive information, including bank account details, due to inadequate security measures under GDPR.

Investigators identified weak VPN authentication and poor detection of abnormal system activity as critical vulnerabilities that enabled the attack. Additionally, CNIL ruled that affected customers were not properly informed about the breach notification emails lacked clear details on risks and protective actions.

Free Mobile received an extra penalty for retaining former customer data beyond legal limits. Both companies have been ordered to implement security upgrades and remove unauthorized data within strict deadlines. The case underscores regulatory scrutiny over data retention practices and breach notification transparency.

Source: https://dig.watch/updates/french-regulator-fines-free-and-free-mobile

Freestyle Technology cybersecurity rating report: https://www.rankiteo.com/company/freestyle-technology

"id": "FREFRE1768907025",
"linkid": "freestyle-technology, freestyle-technology",
"type": "Breach",
"date": "10/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': '24 million subscribers',
                        'industry': 'Telecommunications',
                        'location': 'France',
                        'name': 'Free',
                        'type': 'Telecom Operator'},
                       {'customers_affected': '24 million subscribers',
                        'industry': 'Telecommunications',
                        'location': 'France',
                        'name': 'Free Mobile',
                        'type': 'Telecom Operator'}],
 'attack_vector': 'Weak VPN authentication',
 'customer_advisories': 'Breach notification emails (deemed inadequate by '
                        'CNIL)',
 'data_breach': {'number_of_records_exposed': '24 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personal data',
                                              'Bank account details']},
 'date_detected': '2024-10',
 'description': 'France’s data protection authority, CNIL, has imposed a '
                'combined €42 million fine on telecom operators Free and Free '
                'Mobile following an October 2024 cyberattack that compromised '
                'the personal data of 24 million subscribers. The breach '
                'exposed sensitive information, including bank account '
                'details, due to inadequate security measures under GDPR.',
 'impact': {'brand_reputation_impact': 'Regulatory scrutiny over data '
                                       'retention and breach notification '
                                       'transparency',
            'data_compromised': 'Personal data, bank account details',
            'financial_loss': '€42 million (fines)',
            'identity_theft_risk': 'High (bank account details exposed)',
            'legal_liabilities': 'Fines imposed by CNIL',
            'payment_information_risk': 'High (bank account details exposed)'},
 'investigation_status': 'Completed (CNIL investigation)',
 'lessons_learned': 'Inadequate security measures (weak VPN authentication, '
                    'poor detection of abnormal activity) and improper breach '
                    'notification can lead to significant regulatory penalties '
                    'and reputational damage.',
 'post_incident_analysis': {'corrective_actions': ['Implement security '
                                                   'upgrades',
                                                   'Remove unauthorized data',
                                                   'Improve breach '
                                                   'notification transparency'],
                            'root_causes': ['Weak VPN authentication',
                                            'Poor detection of abnormal system '
                                            'activity',
                                            'Inadequate breach notification']},
 'recommendations': ['Strengthen VPN authentication',
                     'Improve detection of abnormal system activity',
                     'Ensure clear and transparent breach notifications',
                     'Comply with data retention laws'],
 'references': [{'source': 'CNIL'}],
 'regulatory_compliance': {'fines_imposed': '€42 million',
                           'regulations_violated': ['GDPR'],
                           'regulatory_notifications': 'CNIL investigation'},
 'response': {'communication_strategy': 'Breach notification emails (deemed '
                                        'inadequate by CNIL)',
              'remediation_measures': ['Implement security upgrades',
                                       'Remove unauthorized data']},
 'title': 'French Telecom Giants Fined €42 Million Over Massive Data Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': ['Weak VPN authentication',
                             'Poor detection of abnormal system activity']}

Free Mobile and Free: French regulator fines Free and Free Mobile €42 million

Adobe: Adobe Reader Releases Emergency Patch For Zero-Day Vulnerability CVE-2026-34621

Anodot, Rockstar Games and Take-Two Interactive: Rockstar Games faces April 14 ransom deadline following alleged data leak

DeadLock: Ransomware Groups Increasingly Turn to EDR Killers Outside Vulnerable Driver Tactics