French internet provider Free says data breach impacted millions of customers
Free, one of France’s largest internet service providers, said it experienced a data security incident that compromised the sensitive personal data of millions of customers.
Recently, a threat actor using the moniker “drussellx” claimed that they infiltrated the internal network of Free and stole sensitive personal information of its customers. According to a post on social platform X, the threat actor put up for sale two databases containing the personal information of 19.2 million Free customers and 5.11M IBAN (International Bank Account Number) coordinates.
🚨🔴CYBERALERT, 🇫🇷FRANCE 🔴 | 19M de comptes et 5M d'IBAN de l'opérateur téléphonique Free mis en vente sur le "Amazon de la cybercriminalité"
— SaxX ¯\_(ツ)_/¯ (@_SaxX_) October 22, 2024
Hier nuit, un cybercriminel a mis en vente deux bases de données supposées appartenir à Free :
👉 l'une comportant 19 192 948 de comptes… pic.twitter.com/24lgxXsoWv
The compromised data included names, phone numbers, postal addresses, dates of birth, Email addresses and more. To prove the authenticity of its claims, drussellx also shared screenshots of the stolen data.
Acknowledging the claims of the threat actor, a Free spokesperson told BleepingComputer that the company indeed suffered a data security incident. The company has notified the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI) about the incident and has filed a criminal complaint with the public prosecutor’s office.
Free has started notifying affected subscribers and the company spokesperson added that the cyber attack did not impact its activities and services.
The ISP’s investigation revealed that the attack targeted a management tool that exposed its customer’s data, however, the attackers failed to access customer passwords, bank card information, and communications content including emails, SMSs and voice messages. Free added that the compromised IBANs are “not enough to make a direct debit from a bank.”
“If subscribers nevertheless notice an unusual direct debit, not corresponding to any date and no known invoice amount, their bank is obliged to reimburse them. They have 13 months to report the fraudulent direct debit.
“We also invite them to be vigilant against phishing attempts. Never communicate your access codes or bank card whether by email, SMS or during a call,” the company spokesperson added.
Most Viewed
New rules, rising threats: why lean IT teams must rethink cyber-securitySponsored by CORO CYBER SECURITY
Don’t allow AI experiments to become quiet business risksSponsored by alice.io
The Expert View: Reducing cyber-risk across OT and critical infrastructureSponsored by Claroty
The Expert View: Transforming security through risk intelligenceSponsored by Obrela
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2025, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543