The French data protection regulator, CNIL, today issued a collective €42 million ($48.9 million) fine to two French telecom companies for GDPR violations stemming from a data breach.
Free and Free Mobile are two separate businesses, respectively overseeing fixed-line and mobile services, owned by Iliad Group. The fines relate to an October 2024 breach that led to the data of more than 24 million individuals being compromised, including financial information such as IBANs.
In its judgment, CNIL noted that the attack began on September 28, 2024, and the companies were made aware of the intrusion on October 21 via a message from the attacker responsible. Free ousted the attacker from its systems the following day.
The attackers gained access to Free's network via the company VPN before connecting to Free Mobile's subscriber management tool, MOBO. Even though the attacker only gained access to Free Mobile's application, MOBO, at the time, allowed users to search for the data belonging to customers of both Free and Free Mobile, including their IBANs, provided they were subscribers of services.
A post-mortem of the attack revealed that the attacker began exfiltrating customer records on October 6, 2024, including those related to the total 24,633,469 fixed and mobile contracts. This was broken down into 19,460,891 Free Mobile contacts and 5,172,577 Free contracts.
At the time of the attack, Free Mobile had around 15.5 million subscribers, while Free had approximately 7.6 million. The companies were fined €27 million ($31.4 million) and €15 million ($17.4 million), respectively, based on Iliad's €10 billion turnover and €367 million profit posted in 2024.
The regulator said that the companies contravened GDPR in three ways: by failing to properly secure personal data, failing to adequately communicate the breach to those affected, and failing to comply with data retention laws.
Announcing the fine, CNIL said: "The restricted panel found that on the day of the data breach, the companies had not implemented certain basic security measures that could have made the attack more difficult.
"In particular, it noted that the authentication procedure for connecting to the VPN of Free Mobile and to that of Free – used especially for remote work by the company's employees – was not sufficiently robust.
"Furthermore, the measures deployed by Free Mobile and Free to detect abnormal behavior on their information systems were ineffective."
The nature of the data that was stolen came into consideration when deciding the fine, as did the companies' data retention policies.
CNIL noted that both Free and Free Mobile lacked the necessary capabilities to sort former subscribers' data in a way that retained only the necessary information for accounting purposes.
They also lacked an adequate data-deletion mechanism at the time of the attack, and when it came to notifying their users about the attack, the initial email lacked key details users needed for a comprehensive understanding of its consequences. ®
Source: The register