France's data protection authority CNIL fines Free and Free Mobile €42 million for GDPR violations following a breach exposing 24.6 million customers' financial data, citing inadequate security controls and failure to protect user information.
France's data protection watchdog has levied substantial fines against telecom operators Free and Free Mobile following a catastrophic security failure that exposed sensitive financial information belonging to 24.6 million customers. The €42 million penalty represents one of France's most significant GDPR enforcement actions to date and highlights critical failures in corporate data protection practices.
The sanctions stem from a sophisticated October 2024 cyberattack where intruders compromised customer databases containing International Bank Account Numbers (IBANs) and personal identifiers. According to CNIL's investigation, attackers breached Free's corporate VPN on September 28th using compromised credentials, exploiting weak authentication protocols. This initial access allowed them to penetrate Free Mobile's subscriber management system (MOBO), which contained merged datasets for both fixed-line and mobile customers.
Crucially, investigators determined that basic security measures could have prevented or mitigated the breach. The VPN systems lacked multi-factor authentication, creating a single point of failure. Detection systems failed to identify abnormal data exfiltration patterns between October 6th-21st, allowing attackers uninterrupted access to:
- 19.4 million Free Mobile subscriber records
- 5.1 million Free fixed-line customer records
- Financial identifiers including IBANs
Beyond technical failures, CNIL identified three core GDPR violations:
Inadequate Security Safeguards: Absence of fundamental protections like VPN hardening and behavioral monitoring systems violated Article 32 requirements for data security by design.
Breach Notification Deficiencies: Customers received generic alerts lacking specific risk assessments or actionable guidance about compromised financial data, violating Articles 33-34.
Unlawful Data Retention: Systems retained former customers' financial information beyond legal limits without proper deletion mechanisms, contravening storage limitation principles under Article 5.
The €27 million fine for Free Mobile and €15 million penalty for Free reflect Iliad Group's corporate revenue scale. This penalty structure demonstrates regulators' commitment to making non-compliance financially consequential.
For affected customers, the breach creates ongoing fraud risks due to exposed banking identifiers. The notification failures compound these dangers by leaving individuals without clear guidance on protective measures. This case establishes critical precedents for telecom security obligations, particularly regarding:
- Mandatory multi-factor authentication for internal systems
- Real-time anomaly detection capabilities
- Automated data lifecycle management
- Transparent breach communication protocols
CNIL's action signals intensified scrutiny of how organizations protect financial data under GDPR. As digital payment systems proliferate, this ruling reinforces that companies handling sensitive information must implement layered security architectures that proactively defend against credential-based attacks rather than relying on reactive measures.
Comments
Please log in or register to join the discussion