The French data protection authority (CNIL) has imposed cumulative fines of €42 million on Free Mobile and its parent company, Free, for inadequate protection of customer data against cyber threats.

The company is the second-largest internet service provider in France and suffered a data breach in October 2024, exposing information of nearly 23 million mobile and fixed subscribers.

The hackers targeted the firm’s management tool and stole sensitive customer information to sell it later on a hacker forum. The offer came from an account named ‘drussellx’ and claimed that the attack impacted 19.2 million customers, and that the details included IBANs for roughly 25% people.

Following an investigation into the incident, CNIL concluded that, despite Free improving its cybersecurity stance after the incident, its previous negligence violated several GDPR rules.

“Following a large number of complaints (more than 2,500 to date) from individuals affected by this data breach, the CNIL carried out an inspection which revealed breaches of several obligations under the General Data Protection Regulation (GDPR) attributable to FREE MOBILE and FREE, each of which is the data controller for its own subscribers,” the French agency said

Specifically, the following violations have been found:

1. Failure to ensure data security (Article 32 GDPR) – Free Mobile and Free had inadequate security measures in place, including weak VPN authentication for employees’ remote access and ineffective detection of abnormal activity, which which enabled the attack.
2. Failure to properly inform affected individuals of the breach (Article 34 GDPR) – Although the companies notified users, the emails lacked detailed information and did not clearly explain the consequences of the breach or what steps should be taken to mitigate the risk.
3. Excessive retention of personal data (Article 5(1)(e) GDPR) – Free Mobile kept personal data of millions of former subscribers for a longer period than was necessary, and did not sort or delete it in due time, beyond what was justified for accounting purposes.

The CNIL ordered both companies to complete their newly implemented security measures within three months, and required Free Mobile to finish sorting and removing excess customer data within six months.

After the breach at Free Mobile, France experienced more customer-exposing or service-disrupting incidents on large telecommunication service providers.

In July 2025, Orange France announced that it had detected a breach on its systems, causing operational disruptions. A month later, Bouygues Telecom suffered a data breach that exposed the sensitive data of 6.4 million customers.