The independent French administrative regulatory body, CNIL (National Commission on Informatics and Liberty), has fined Free and Free Mobile a combined €42 million over security failures linked to a major customer data breach. The regulator said its investigation found shortcomings in how the companies protected personal data, contributing to the scale of the incident.
CNIL imposed a €27 million fine on Free Mobile and a €15 million fine on Free. The penalties relate to a breach disclosed in 2024, when an attacker accessed internal systems and obtained personal information linked to millions of subscribers. CNIL said the exposed data included customer identifiers and other account details, and in some cases, bank account information such as IBANs.
The companies previously said the intrusion involved unauthorised access to a subscriber management tool. They said at the time that passwords and bank card numbers were not affected. CNIL’s subsequent inspection focused on whether appropriate security measures were in place before the incident and whether the companies met their obligations under European data protection law.
CNIL said the investigation identified weaknesses in access controls and monitoring. It said authentication and security procedures were not sufficiently robust to prevent unauthorised access, and detection measures were not strong enough to identify suspicious activity quickly. The regulator said these gaps increased the risk of customer information being accessed and contributed to the impact of the breach.
The regulator also cited data retention issues, saying the companies did not adequately limit how long personal information was stored, including data linked to former customers. Under the GDPR, organisations are required to keep personal data only for as long as necessary and to apply appropriate technical and organisational safeguards to protect it.
CNIL said the fines reflect the number of people affected and the sensitivity of some of the exposed information. The regulator said the decision is intended to reinforce requirements for telecom providers to secure customer data and ensure that core security controls are consistently applied.
Free and Free Mobile have not announced whether they will appeal. CNIL said the enforcement action follows its standard process for investigating breaches and applying penalties when security and compliance obligations are not met.