The French data protection authority (CNIL) fined Free and Free Mobile 42 million euros for failing to safeguard the personal information of approximately 23 million subscribers during a major 2024 data breach. Although the companies have since improved their security, the regulator found significant violations of GDPR rules regarding data retention, security protocols, and the quality of their communications with affected customers.

The French regulatory body known as CNIL recently handed down substantial fines totaling 42 million euros to the internet service provider Free and its mobile subsidiary following a catastrophic security failure. This enforcement action stems from an October 2024 cyberattack where hackers infiltrated the company's management systems to steal the personal data of nearly 23 million individuals. The breach was highly publicized after a threat actor attempted to sell a massive database on a criminal forum, claiming to have obtained sensitive information including international bank account numbers for a quarter of the victims.

Investigators determined that the companies had several critical security weaknesses that made the initial intrusion possible. Specifically, the agency pointed to inadequate authentication methods for employees accessing the corporate network remotely and a general failure to detect suspicious activity on the system before the data was exfiltrated. While the firms argued they had taken steps to modernize their infrastructure after the event, the authorities concluded that the negligence prior to the breach constituted a clear violation of legal obligations to protect consumer privacy.

Beyond the technical failures that led to the hack, the regulator criticized how the companies handled the aftermath and their broader data management practices. The investigation revealed that Free Mobile had been storing the personal information of millions of former customers long after their contracts had ended, exceeding the time limits allowed under European law. Furthermore, the notification emails sent to those affected by the hack were deemed insufficient because they failed to provide clear explanations of the risks involved or actionable advice on how customers could protect themselves from identity theft.

As part of the formal ruling, the companies are now under a strict timeline to rectify these systemic issues. They have been given three months to finalize their updated security measures and six months to purge any excess customer data that is no longer legally required for accounting purposes. These mandates ensure that the provider does not simply pay a fine but also undergoes a fundamental change in how it treats the privacy and security of the millions of French citizens who rely on its services for internet and mobile connectivity.

This massive fine arrives during a period of heightened vulnerability for the French telecommunications sector, which has seen several major providers targeted in recent years. Shortly after the incident at Free, other national giants including Orange France and Bouygues Telecom also reported significant security breaches that disrupted services or exposed the data of millions more subscribers. This wave of cyberattacks has prompted regulators to take a much more aggressive stance on corporate accountability to prevent sensitive financial and personal information from falling into the hands of cybercriminals.

Source: France Fines Free Mobile 42 Million Euros Over 2024 Data Breach Incident