A CNIL decision found that Free and Free Mobile must pay a collective €42 million fine after an October 2024 breach exposed more than 24.6 million customer records including IBANs.
KEY FACTS
- Incident October 2024 breach exposed 24,633,469 contracts
- Data exposed customer personal and financial data including IBANs
- Timeline attack began 28 September 2024, exfiltration started 6 October, companies notified 21 October, attacker removed 22 October
- Penalties €27 million for Free Mobile and €15 million for Free
The intrusion began on 28 September 2024 and data exfiltration started on 6 October 2024. The attacker alerted the companies on 21 October and Free removed the intruder from its systems the next day.
Attackers accessed Free’s network via the company VPN before connecting to Free Mobile’s subscriber management application MOBO. MOBO allowed searches for records belonging to both Free and Free Mobile subscribers which made IBANs available if customers were subscribers of services.
The post mortem shows 19,460,891 Free Mobile contacts and 5,172,577 Free contracts were exposed for a total of 24,633,469. At the time Free Mobile had about 15.5 million subscribers and Free about 7.6 million. The fines were set at €27 million and €15 million and were calculated with reference to Iliad’s reported €10 billion turnover and €367 million profit in 2024.
Basic security measures were not implemented. VPN authentication was not sufficiently robust and detection of abnormal behaviour was ineffective. The companies lacked mechanisms to sort or delete former subscribers’ data and initial user notifications omitted key details needed to assess the impact.
WHY IT MATTERS
The penalties and findings underline the operational and legal risks from weak remote access controls and poor data retention practices for large telecom providers. Millions of customers faced potential financial and identity exposure because of the breach.