Ethical Hacking News
France has fined two major telecom companies, Free and Free Mobile, €42 million for their roles in a data breach that compromised the personal data of over 24 million individuals, including financial information such as IBANs. The fine was issued by France's data protection regulator, CNIL, due to the companies' failure to properly secure personal data, inadequate communication of the breach to those affected, and non-compliance with data retention laws.
The French data protection regulator, CNIL, fined two telecom companies, Free and Free Mobile, €42 million for gross failure to prioritize customer data security. The breach occurred in October 2024 due to an attacker gaining unauthorized access to both companies' networks via their VPN connections. Basic security measures such as robust authentication procedures and anomaly detection systems were ineffective. The attack exposed sensitive information of over 24 million individuals, including financial data. The initial notification email from the companies was inadequate, highlighting a lack of transparency about the breach's consequences. The fine serves as a reminder to telecom companies that protecting customer data is a legal requirement under France's GDPR regulations. The €42 million fine represents one of the largest fines ever handed down for a breach under France's GDPR regulations.
In a move that is being hailed as a significant step towards ensuring accountability in the telecommunications sector, France's data protection regulator, CNIL (Commission Nationale Informatique et Libertés), has imposed a €42 million fine on two major telecom companies, Free and Free Mobile. The hefty penalty was handed down due to the companies' gross failure to prioritize customer data security, leading to a catastrophic breach that exposed the sensitive information of over 24 million individuals.
According to CNIL's judgment, the breach occurred in October 2024, when an attacker gained unauthorized access to both companies' networks via their VPN connections. The attacker then used this entry point to exfiltrate a vast array of customer records, including financial information such as IBANs, from Free Mobile's subscriber management tool, MOBO. MOBO allowed users to search for the data belonging to customers of both Free and Free Mobile.
The attack was particularly egregious because it highlighted the companies' lack of basic security measures that could have made the breach more difficult to detect or prevent. CNIL noted specifically that the authentication procedure for connecting to the VPN of Free Mobile and to that of Free was not sufficiently robust. Furthermore, the companies' measures deployed to detect abnormal behavior on their information systems were ineffective.
The attack began with the attacker gaining access to Free's network via its VPN before connecting to Free Mobile's subscriber management tool, MOBO. Even though the attacker only gained access to Free Mobile's application, MOBO, at the time, it allowed users to search for the data belonging to customers of both Free and Free Mobile, including their IBANs. This feature was particularly concerning because it highlighted the companies' failure to implement adequate security controls that would have prevented an attacker from accessing sensitive customer information.
The nature of the data stolen came into consideration when deciding the fine, as did the companies' data retention policies. CNIL noted that both Free and Free Mobile lacked the necessary capabilities to sort former subscribers' data in a way that retained only the necessary information for accounting purposes. They also lacked an adequate data-deletion mechanism at the time of the attack.
When it came to notifying their users about the breach, the initial email sent by the companies was woefully inadequate. The email did not provide users with key details they needed for a comprehensive understanding of the breach's consequences. This lack of transparency was a further failure on the part of Free and Free Mobile, who could have taken steps to mitigate the damage caused by their negligence.
The fine imposed by CNIL serves as a stern reminder to telecom companies that protecting customer data is not just a moral obligation but also a legal requirement under France's General Data Protection Regulation (GDPR). The GDPR places significant responsibilities on organizations handling personal data, including telecom companies. Failure to comply with these regulations can result in severe penalties, including fines and reputational damage.
The €42 million fine imposed by CNIL represents one of the largest fines ever handed down for a breach under France's GDPR regulations. It is clear that both Free and Free Mobile have failed in their obligations to protect customer data, leading to significant consequences for both their reputation and their bottom line.
As telecom companies continue to expand their services and handle increasing amounts of sensitive customer information, it is imperative that they prioritize security above all else. This means investing in robust security measures, implementing adequate data retention policies, and ensuring that users are adequately informed about any breaches that may occur.
The fine imposed by CNIL serves as a warning to telecom companies to take their responsibilities seriously and to prioritize the security of customer data above all else. Failure to do so can result in severe penalties and reputational damage. As such, this fine will undoubtedly serve as a cautionary tale for the telecommunications sector, emphasizing the importance of prioritizing customer data security.
Related Information:
https://www.ethicalhackingnews.com/articles/The-42-Million-Fine-A-Cautionary-Tale-of-Telecom-Companies-Failure-to-Prioritize-Customer-Data-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/01/14/france_fines_free_free_mobile/
Published: Wed Jan 14 09:30:24 2026 by llama3.2 3B Q4_K_M
