France’s data protection authority fines Free and Free Mobile €42 million over major customer data breach

France’s data protection authority has imposed cumulative fines of €42 million on Free Mobile and its parent company, Free, after determining that inadequate cybersecurity safeguards led to the exposure of personal data belonging to tens of millions of customers.

CNIL, the national regulator responsible for enforcing data privacy law, concluded that security failures at the telecom group enabled a cyberattack in October 2024 that compromised information tied to nearly 23 million mobile and fixed-line subscribers. Free is the second-largest internet service provider in France, offering mobile, broadband, and fixed-line services nationwide.

The breach stemmed from unauthorized access to an internal management tool, allowing attackers to extract sensitive customer records that were later offered for sale on a hacker forum. The seller, using the alias “drussellx,” claimed the dataset affected more than 19 million customers and included bank account identifiers for roughly a quarter of those impacted.

Following a wave of complaints from affected individuals, the regulator carried out an inspection that identified multiple violations of the General Data Protection Regulation. Investigators found that both Free Mobile and Free had failed to ensure adequate protection of personal data, despite each acting as data controller for its own subscribers.

The authority determined that, at the time of the incident, the companies had not implemented basic security measures capable of reducing the likelihood or severity of an attack. Employee remote access relied on weak virtual private network authentication, and systems intended to detect abnormal activity were ineffective. Given the scale and sensitivity of the data processed, the safeguards in place were deemed insufficient.

The regulator also found shortcomings in how customers were informed of the breach. While notifications were sent and support channels were established, the initial emails did not clearly explain the consequences of the incident or outline steps individuals could take to reduce potential harm, falling short of GDPR notification requirements.

In addition, Free Mobile was cited for retaining personal data longer than permitted. The inspection revealed that millions of records belonging to former subscribers were kept well beyond what was necessary, without proper sorting or deletion once accounting obligations had been met.

Taking into account the companies’ financial capacity, the number of people affected, the sensitive nature of the data involved, and the risks associated with exposure of bank identifiers, the regulator’s sanctions committee imposed a €27 million fine on Free Mobile and a €15 million fine on Free. The companies were also ordered to complete recently introduced security enhancements within three months. Free Mobile was given six months to finish sorting and deleting excess customer data.

The Free Mobile breach was followed by additional high-profile incidents across France’s telecommunications sector. In July 2025, Orange France disclosed a security incident that disrupted operations. One month later, Bouygues Telecom reported a data breach affecting 6.4 million customers.

Regulators said the enforcement action underscores the obligation for large service providers to maintain strong, continuously updated cybersecurity measures and to handle personal data in strict compliance with European privacy law.