The French data protection authority has penalized the country's second-largest ISP for systemic security failures that exposed 23 million subscribers' data, revealing persistent vulnerabilities in telecom infrastructure.
The French data protection authority (CNIL) announced today that it has imposed cumulative fines totaling €42 million on Free Mobile and its parent company Free for violations stemming from a massive October 2024 data breach that compromised the personal information of nearly 23 million mobile and fixed-line subscribers. The penalty represents one of the most significant GDPR enforcement actions in France's telecommunications sector and highlights ongoing security challenges across European telecom providers.
The Breach: A Management Tool Exploit
In October 2024, attackers compromised Free Mobile's customer management infrastructure, gaining access to sensitive subscriber data. The breach came to light when a threat actor using the handle "drussellx" offered a database for sale on a hacker forum, claiming it contained records for 19.2 million customers. According to the listing, approximately 25% of those records included International Bank Account Numbers (IBANs), creating substantial financial fraud risk for millions of customers.
The attackers targeted the company's management tools—systems designed to handle customer accounts, billing, and service administration. These platforms typically require elevated access privileges and integrate with multiple backend systems, making them attractive targets for threat actors seeking bulk data exfiltration.
CNIL Investigation Reveals Systemic Failures
Following the breach, CNIL conducted a comprehensive inspection of Free Mobile's security practices. The investigation uncovered three primary GDPR violations that enabled the attack and exacerbated its impact:
1. Inadequate Data Security Measures (Article 32 GDPR)
The regulator found that Free Mobile had implemented insufficient security controls to protect customer data. Specifically:
- Weak VPN authentication: Remote access for employees relied on inadequate authentication mechanisms, providing insufficient protection against unauthorized access attempts
- Ineffective monitoring: The company failed to detect abnormal activity patterns that would have signaled unauthorized data access or exfiltration
- Missing safeguards: The absence of robust intrusion detection and response capabilities allowed attackers to operate undetected
These deficiencies violated Article 32 of the GDPR, which requires organizations to implement "appropriate technical and organizational measures" to ensure data security, including encryption, confidentiality, integrity, and availability protections.
2. Inadequate Breach Notification (Article 34 GDPR)
While Free Mobile did notify affected customers, CNIL determined the communications fell short of regulatory requirements. The notification emails lacked:
- Specific details about the types of data compromised
- Clear explanations of potential consequences for affected individuals
- Concrete guidance on protective steps customers should take
- Transparent timelines about when the company discovered the breach and its scope
Article 34 requires that when a data breach is likely to result in a high risk to individuals' rights and freedoms, the controller must inform affected persons without undue delay, providing sufficient information to understand the risks and protective measures.
3. Excessive Data Retention (Article 5(1)(e) GDPR)
The investigation revealed Free Mobile maintained personal data from millions of former subscribers beyond the period necessary for legitimate business purposes. The company failed to:
- Implement proper data lifecycle management
- Sort and delete outdated records in a timely manner
- Align retention periods with actual business needs (the regulator noted accounting requirements justified only limited retention)
This violated the GDPR's data minimization principle, which requires that personal data be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Enforcement Actions and Remedial Requirements
CNIL has ordered both Free Mobile and its parent company to complete implementation of newly deployed security measures within three months. Additionally, the companies must finish sorting and removing excess customer data within six months. The regulator indicated it would verify compliance through follow-up inspections.
A Pattern of Telecom Vulnerabilities
The Free Mobile breach appears to be part of a broader pattern of security incidents affecting French telecommunications providers:
- July 2025: Orange France disclosed a breach that caused operational disruptions across its systems
- August 2025: Bouygues Telecom suffered a data breach exposing sensitive information for 6.4 million customers
This concentration of incidents suggests systemic issues across the sector, including legacy infrastructure, complex supply chains, and high-value data repositories that attract sophisticated threat actors.
Practical Implications for Telecom Operators
The CNIL decision provides several key lessons for telecommunications companies and other organizations handling large volumes of customer data:
Remote Access Security
The Free Mobile case underscores the critical importance of securing remote access infrastructure. Organizations should:
- Implement multi-factor authentication (MFA) for all remote access points
- Use zero-trust network access (ZTNA) architectures instead of traditional VPNs
- Deploy conditional access policies based on device health, location, and user behavior
- Regularly audit and rotate access credentials
Threat Detection and Monitoring
Effective detection capabilities could have identified the breach earlier, potentially limiting data exposure. Best practices include:
- Deploying Security Information and Event Management (SIEM) systems with telecom-specific correlation rules
- Implementing User and Entity Behavior Analytics (UEBA) to identify anomalous data access patterns
- Establishing 24/7 Security Operations Center (SOC) monitoring
- Creating automated alerts for bulk data access or export activities
Data Retention and Minimization
The excessive retention finding demonstrates that keeping data "just in case" creates unnecessary risk. Organizations should:
- Conduct regular data mapping exercises to understand what personal data exists and where
- Implement automated data lifecycle management tools
- Establish clear retention schedules aligned with legal and business requirements
- Regularly purge data that no longer serves a legitimate purpose
Breach Notification Readiness
The inadequate notification violation highlights the need for preparedness:
- Develop pre-approved notification templates that meet GDPR requirements
- Establish clear escalation paths and decision-making authority for breach response
- Practice breach notification through tabletop exercises
- Create customer communication channels that can deliver timely, detailed information
The Broader Regulatory Context
This enforcement action comes as European regulators increasingly focus on telecommunications security. The sector holds vast amounts of sensitive personal and financial data while facing sophisticated threat actors. Recent trends include:
- Increased scrutiny: Regulators are conducting more proactive inspections rather than waiting for breach reports
- Higher penalties: Fines are scaling to reflect the severity of violations and the number of affected individuals
- Focus on systemic issues: Regulators are examining organizational security culture and governance, not just technical controls
What Customers Should Do
If you were a Free Mobile customer during the breach period:
- Monitor financial accounts: Watch for unauthorized transactions, especially if IBAN data was exposed
- Enable banking alerts: Set up notifications for all account activity
- Be vigilant for phishing: Expect targeted phishing attempts using the exposed data
- Consider IBAN protection: Contact your bank about additional fraud monitoring for accounts linked to exposed IBANs
- Update passwords: Change passwords for any accounts that might share credentials with Free Mobile services
Looking Forward
The €42 million fine signals that regulators will hold telecommunications companies accountable for security failures that affect millions of customers. As the sector continues to face threats from sophisticated actors, organizations must move beyond compliance checklists to implement comprehensive security programs that protect customer data throughout its lifecycle.
For organizations in similar sectors, the Free Mobile case serves as a clear warning: inadequate security measures, poor data governance, and weak breach notification processes will result in significant regulatory penalties, regardless of post-breach improvements.
The CNIL's decision also reinforces the importance of the GDPR's security-by-design and privacy-by-default principles. Organizations cannot simply react to breaches—they must proactively build security into their operations from the ground up.
As French telecommunications providers work to restore customer trust, the industry as a whole must reckon with the reality that data protection is no longer a secondary concern but a fundamental business requirement.
For more information about GDPR compliance and data protection best practices, visit the CNIL official website and the European Commission's GDPR portal.
Comments
Please log in or register to join the discussion