Million-euro fine after data breach: CNIL sanctions French provider Free
Following a major data leak at Free and Free Mobile, the French supervisory authority is drawing consequences: the companies must pay a fine of 42 million euros.
(Image: Maxim Ermolenko / Shutterstock.com)
The French supervisory authority CNIL has imposed fines of 27 million and 15 million euros, respectively, on the mobile provider Free Mobile and its parent company Free following a veritable data breach. The reason for the total fine of 42 million euros was a cyberattack in October 2024, during which unauthorized individuals were able to penetrate deep into the IT systems of both companies. Personal data of around 24 million customer accounts were compromised. The attackers gained access to, among other things, names, addresses, and in many cases even the international bank account numbers (IBANs) of customers.
The decisions published by the CNIL on January 8th followed a wave of over 2500 complaints from affected users. During their investigations, the controllers discovered shortcomings that went far beyond bad luck in dealing with cybercriminals. The supervisory authority accuses the companies of having disregarded fundamental security principles of the General Data Protection Regulation (GDPR).
In particular, the security of the VPN accesses, which employees used to log in from home office, for example, was not robust enough. Furthermore, the systems for detecting unusual behavior were ineffective; they could not stop the massive data outflow in time. Given the volume and sensitivity of the data, the precautions were insufficient to ensure confidentiality.
Affected parties inadequately informed
The CNIL was particularly critical of how the affected parties were handled. Although the companies informed their customers by email, the communication fell far short of legal requirements. In the opinion of the sanctions committee, essential information was missing that would have been necessary for users to understand the consequences of the leak and to effectively protect themselves from misuse. Unclear communication is particularly serious when bank account data is stolen, as it significantly increases the risk of phishing and identity fraud.
Videos by heise
Additionally, Free Mobile's storage practices came under scrutiny. Inspections revealed that the company had hoarded millions of data records of former subscribers for years. There was no legal necessity for this. The GDPR stipulates that data must be deleted as soon as it is no longer needed for the original purpose. However, Free Mobile failed to sort out old records, unnecessarily increasing the amount of information obtained.
When determining the penalty, the CNIL considered the financial strength of the corporate group and the nature of the data that had leaked. Free is said to have since closed the security vulnerabilities but must complete the implementation of further relevant measures within three months. Free Mobile has a deadline of six months for the cleanup of outdated databases.
(mack)
