Ethical Hacking News
In a significant move, France has imposed a cumulative fine of €42 million on Free Mobile for its inadequate handling of a 2024 data breach incident that exposed customer information. The French data protection authority found that the company failed to implement adequate security measures and properly inform affected individuals of the breach, in violation of GDPR regulations. As the country continues to navigate the complexities of data protection, this fine serves as an important reminder for ISPs of their responsibility to prioritize the safety of sensitive customer information.
France has fined Free Mobile €42 million for a significant data breach that exposed customer information. The breach affected approximately 19.2 million customers, with around 25% of their IBANs stolen. The incident highlighted failures in Free Mobile's security measures and GDPR compliance. Free Mobile was ordered to implement new security measures within three months and sort and remove excess customer data within six months. The fine serves as a reminder for ISPs to prioritize data protection and adhere to GDPR regulations.
France has taken a significant step towards ensuring that internet service providers (ISPs) prioritize data protection, imposing a cumulative fine of €42 million on Free Mobile, the country's second-largest ISP, and its parent company, Free. The hefty penalty is a direct result of the 2024 data breach incident that exposed sensitive customer information.
The breach, which occurred in October 2024, targeted Free Mobile's management tool, allowing hackers to steal customer data, including IBANs for roughly 25% of affected individuals. The stolen data was then sold on a hacker forum under the account 'drussellx.' According to reports, the attack impacted approximately 19.2 million customers.
Following an investigation by France's data protection authority (CNIL), it was determined that Free Mobile and its parent company had violated several General Data Protection Regulation (GDPR) rules. These included failure to ensure adequate security measures in place (Article 32 GDPR), failure to properly inform affected individuals of the breach (Article 34 GDPR), and excessive retention of personal data (Article 5(1)(e) GDPR).
The CNIL's findings indicate that Free Mobile had inadequate security measures, including weak VPN authentication for employees' remote access and ineffective detection of abnormal activity. This allowed the hackers to execute the attack with relative ease.
Furthermore, although Free Mobile notified users of the breach, the emails sent did not provide sufficient details about the incident or offer clear instructions on how to mitigate the risks associated with the breach. In contrast, the company had failed to properly sort and remove excess customer data beyond what was justified for accounting purposes.
As a result of these violations, the CNIL has ordered both Free Mobile and Free to implement new security measures within three months. Additionally, Free Mobile is required to complete sorting and removing excess customer data within six months.
The French government's decision serves as an important reminder to ISPs of their responsibility to protect sensitive customer information. The incident highlights the need for robust security measures, timely communication with affected parties, and proper data management practices.
In light of this breach, France has experienced more instances of customer-exposing or service-disrupting incidents on large telecommunication service providers. Other notable cases include Orange France's detection of a breach in July 2025, which caused operational disruptions, and Bouygues Telecom's data breach that exposed the sensitive information of 6.4 million customers.
The recent fine serves as a cautionary tale for ISPs, emphasizing the importance of prioritizing data protection measures and adhering to GDPR regulations. By taking proactive steps to enhance their cybersecurity stance, ISPs can minimize the risk of future breaches and protect their customers' sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/France-Imposes-42-Million-Fine-on-Free-Mobile-for-Inadequate-Data-Protection-Following-2024-Breach-ehn.shtml
https://www.bleepingcomputer.com/news/security/france-fines-free-mobile-42-million-over-2024-data-breach-incident/
https://www.theregister.com/2026/01/14/france_fines_free_free_mobile/
https://www.cnil.fr/en/sanction-free-2026
Published: Wed Jan 14 13:56:30 2026 by llama3.2 3B Q4_K_M
