France Fines Free Mobile €42 Million After Hackers Stole 24 Million Customer Records

What Happened

In October 2024, hackers breached the systems of Free Mobile and its parent company FREE, two major French telecommunications providers. The attack exposed personal data from 24 million subscriber contracts, including IBANs, which are European bank account identifiers.

The attack began on September 28, 2024. The companies only became aware of the intrusion on October 21 when the attacker sent them a message. Free removed the attacker from its systems the following day.

On January 13, 2026, France's data protection authority, the CNIL, issued two sanction decisions: €27 million against Free Mobile and €15 million against FREE, totaling €42 million. The CNIL received more than 2,500 complaints from affected individuals.

The Security Failures

The CNIL found that both companies failed to implement basic security measures that could have made the attack more difficult or prevented it entirely.

The most significant failure was weak VPN authentication. The authentication procedure for connecting to the companies' VPNs, which employees used for remote work, was not sufficiently robust. This gave the attacker an entry point into the network.

Additionally, the companies' systems for detecting abnormal behavior were ineffective. The attacker operated within the network for weeks before being discovered, and the discovery only happened because the attacker chose to make contact.

The CNIL noted that despite the sensitivity of the information involved, including financial data, the protection measures for data confidentiality were inadequate.

What Data Was Exposed

The breach exposed:

• Personal subscriber information
• Contract details
• IBANs (bank account identifiers) for affected customers

With 24 million subscriber contracts affected, this represents a substantial portion of the French population. The exposure of IBANs is particularly concerning because it can facilitate financial fraud and phishing attempts.

Inadequate Breach Notification

Beyond the security failures, the CNIL found that the companies did not properly notify affected users. Under GDPR Article 34, when a data breach is likely to result in high risk to individuals' rights and freedoms, the company must inform those individuals about the breach.

The notification emails sent to customers did not contain all the necessary information required by the regulation. Specifically, the emails did not allow individuals to directly understand the consequences of the breach or the measures they could take to protect themselves.

When millions of people have their bank account details exposed, they need clear guidance on what to watch for and how to protect their accounts. The companies failed to provide this.

Data Retention Violation

Free Mobile faced an additional violation: retaining personal data longer than necessary. The CNIL found that the company had kept millions of former subscriber records without justification.

Under GDPR's data minimization principle, companies should only keep personal data for as long as it is needed for the purpose it was collected. By holding onto data from former customers, Free Mobile expanded the pool of people whose information was at risk when the breach occurred.

This highlights a broader problem: companies often collect and retain far more data than necessary, increasing the potential impact of any security incident.

What This Means for Affected Customers

If you were a Free or Free Mobile customer in France during this period, your data may have been exposed. Here are steps you should consider:

• Monitor your bank account: Watch for unauthorized transactions or suspicious activity
• Be wary of phishing attempts: Attackers may use the stolen information to craft convincing scam emails
• Contact your bank: Consider setting up additional verification for transactions
• Watch for targeted scams: Fraudsters with your personal details can create highly personalized attacks

The €42 million fine sends a message about regulatory expectations, but it does not undo the exposure of millions of people's personal and financial information.

The Bigger Picture

This case illustrates a pattern seen repeatedly in major breaches: basic security failures that should have been prevented. Weak authentication, inadequate monitoring, and excessive data retention are well known risks with well established solutions.

The CNIL's decision reinforces that GDPR is not just about consent forms and privacy policies. It requires companies to actually protect the data they collect. When they fail to do so, significant financial penalties follow.

For consumers, this is another reminder that your personal data is only as safe as the security practices of every company that holds it. Even companies you trust with essential services like phone connectivity can fail to protect basic information like your bank details.