CNIL, the French data protection regulator, has levied fines of €42 million ($49 million) on telecom companies Free and Free Mobile for failing to ensure the security of their subscribers’ data prior to a data breach in 2024.
Free, a French telecommunications company, disclosed a major cyberattack back in 2024 after a threat actor attempted to sell the stolen data on the dark web. Attackers had accessed the internal management tool and gained access to some subscribers’ personal data.
Free was “the victim of a cyberattack targeting a management tool” leading to “unauthorized access to some of the personal data associated with the accounts of certain subscribers,” the second largest telephone operator in France confirmed back then.
At the time, the firm also said that no passwords, bank card details or contents of emails, texts, and voice messages were breached. Free immediately filed a criminal complaint and informed CNIL about the incident.
Now, after concluding that personal data of 24 million subscribers was actually accessed, CNIL announced that an inspection revealed “breaches of several obligations under the GDPR” attributable to Free Mobile and Free.
As a result, the regulator levied a fine of €27 million ($31.4 million) on Free Mobile, and a fine of €15 million ($17.5 million) on Free. It turns out that the attackers had managed to pilfer millions of subscriber IBANs as well – that’s very sensitive.
“On the day of the data breach, the companies had not implemented certain basic security measures that could have made the attack more difficult,” said CNIL in a statement.
In particular, it noted that the authentication procedure for connecting to the VPNs of Free Mobile and Free – used in particular for remote working by the companies’ employees – was not sufficiently robust.
Furthermore, the measures deployed by both companies to detect abnormal behaviour on their information systems were ineffective.
Finally, on the date of the inspection, Free Mobile had not implemented measures to sort the data of former subscribers in order to retain only those necessary for accounting purposes and then delete them when their retention was no longer necessary.
CNIL has lately been pretty active. In late December, the regulator fined a French software company Nexpublica – once again, for failing to implement sufficient security measures and only fixing the flaws in its systems after the data breach.
CNIL has a lot on their hands, indeed. In mid-December, the French Ministry of the Interior confirmed to Cybernews it had suffered a cyber hit after attackers claimed they accessed its systems and data – some of it personal – on 16.4 million French citizens.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked