France fines Free and Free Mobile €42M for weak security before 24M-record breach

TL;DR

France's data protection authority CNIL fined Free and Free Mobile a combined €42 million after a 2024 breach exposed the records of more than 24 million contracts, including IBANs. Regulators found gaps in VPN authentication, monitoring, and data-retention practices and said the companies failed to properly inform affected users.

What happened

France's privacy regulator CNIL has levied a combined €42 million fine against Free and Free Mobile, businesses within the Iliad Group, over security shortcomings tied to an October 2024 data breach. CNIL says the intrusion began on September 28, 2024; the attacker started exfiltrating records on October 6 and notified the companies by message on October 21. Free removed the intruder from its systems on October 22. The compromise originated via the company VPN and reached the MOBO subscriber-management tool, which could be used to search customer records for both divisions. The post-mortem found 24,633,469 fixed and mobile contracts were taken—19,460,891 from Free Mobile and 5,172,577 from Free—and that stolen data included financial identifiers such as IBANs. CNIL ruled the firms violated GDPR on three counts: inadequate security of personal data, insufficient breach communication to users, and failures in data-retention and deletion practices. The penalties were set with reference to Iliad's reported €10 billion turnover and €367 million profit for 2024.

Why it matters

• Large-scale exposure of financial identifiers heightens risk of fraud and financial harm for millions of customers.
• Regulator highlighted basic security and monitoring failures, setting a precedent for enforcement expectations in telecoms.
• Fines tied to corporate financials signal that regulators will weigh company size and profits when applying penalties.
• The ruling underscores the importance of data-retention and deletion processes as a compliance requirement under GDPR.

Key facts

• CNIL issued a total fine of €42 million to Free and Free Mobile (owned by Iliad Group).
• The breach affected 24,633,469 contracts: 19,460,891 Free Mobile and 5,172,577 Free.
• Attack timeline: intrusion began Sept 28, 2024; data exfiltration started Oct 6; attacker messaged companies Oct 21; attacker removed Oct 22.
• Attack path: compromised company VPN led to access to MOBO, the subscriber-management tool that could be used to query both businesses' customer records.
• Stolen data included financial information such as IBANs.
• CNIL found three GDPR violations: inadequate security controls, poor communication of the breach to affected users, and non-compliant data-retention practices.
• Specific security shortcomings cited included insufficient VPN authentication and ineffective detection of abnormal behavior on information systems.
• CNIL criticized the companies' inability to separate and delete former subscribers' data and noted the initial user notification lacked essential details.
• Fines were apportioned €27 million to Free Mobile and €15 million to Free, informed by Iliad's €10 billion turnover and €367 million profit reported for 2024.

What to watch next

• Whether Iliad, Free or Free Mobile will appeal CNIL's decision — not confirmed in the source
• Any corrective measures the companies put in place to strengthen VPN authentication and monitoring — not confirmed in the source
• Plans for remediation, customer compensation, or follow-up notifications to affected users — not confirmed in the source

Quick glossary

• CNIL: France's national data protection authority responsible for enforcing privacy and data protection rules, including GDPR.
• GDPR: The EU's General Data Protection Regulation, a legal framework that sets rules for processing personal data and grants rights to individuals.
• VPN: Virtual Private Network — a technology that creates an encrypted connection for remote access to a private network.
• IBAN: International Bank Account Number — a standardized format for bank account identifiers used to facilitate cross-border financial transactions.
• Data exfiltration: The unauthorized transfer or theft of data from a system or network.

Reader FAQ

Which companies were fined and why?
CNIL fined Free and Free Mobile for inadequate security, poor breach communication, and non-compliant data-retention practices linked to an October 2024 data breach.

How many records were exposed?
CNIL reported 24,633,469 contracts were compromised: 19,460,891 Free Mobile and 5,172,577 Free.

What kind of data was stolen?
The stolen records included customer information and financial identifiers such as IBANs.

Will customers receive compensation?
not confirmed in the source

CYBER-CRIME France fines telcos €42M for sub-par security prior to 24M customer breach Three major GDPR violations, including a lack of basic security controls, lead to hefty dent in profits…

Sources

• France fines telcos €42M for sub-par security prior to 24M customer breach
• Free Mobile, Free hit with $49M data breach fine
• France's Cnil regulator imposes fines against Free Mobile and …
• Theft of Customers' Personal Data: a Record €42 Million …

Related posts

• In Photos: One Week Since the Killing of Renee Nicole Good in Minneapolis
• Microsoft ends extended updates for Windows Server 2008, closing Vista era
• SparkFun Ends Business with Adafruit Over Alleged Code of Conduct Violations