The French information safety authority (CNIL) has imposed cumulative fines of €42 million on Free Cellular and its mother or father firm, Free, for insufficient safety of buyer information in opposition to cyber threats.
The corporate is the second-largest web service supplier in France and suffered a data breach in October 2024, exposing data of almost 23 million cellular and stuck subscribers.
The hackers focused the agency’s administration instrument and stole delicate buyer data to promote it afterward a hacker discussion board. The supply got here from an account named ‘drussellx’ and claimed that the assault impacted 19.2 million prospects, and that the small print included IBANs for roughly 25% individuals.
Following an investigation into the incident, CNIL concluded that, regardless of Free bettering its cybersecurity stance after the incident, its earlier negligence violated a number of GDPR guidelines.
“Following a lot of complaints (greater than 2,500 to this point) from people affected by this data breach, the CNIL carried out an inspection which revealed breaches of a number of obligations below the Normal Data Safety Regulation (GDPR) attributable to FREE MOBILE and FREE, every of which is the info controller for its personal subscribers,” the French company stated
Particularly, the next violations have been discovered:
- Failure to make sure information security (Article 32 GDPR) – Free Cellular and Free had insufficient security measures in place, together with weak VPN authentication for workers’ distant entry and ineffective detection of irregular exercise, which which enabled the assault.
- Failure to correctly inform affected people of the breach (Article 34 GDPR) – Though the businesses notified customers, the emails lacked detailed data and didn’t clearly clarify the results of the breach or what steps must be taken to mitigate the danger.
- Extreme retention of private information (Article 5(1)(e) GDPR) – Free Cellular saved private information of hundreds of thousands of former subscribers for an extended interval than was mandatory, and didn’t kind or delete it in due time, past what was justified for accounting functions.
The CNIL ordered each firms to finish their newly carried out security measures inside three months, and required Free Cellular to complete sorting and eradicating extra buyer information inside six months.
After the breach at Free Cellular, France skilled extra customer-exposing or service-disrupting incidents on giant telecommunication service suppliers.
In July 2025, Orange France introduced that it had detected a breach on its methods, inflicting operational disruptions. A month later, Bouygues Telecom suffered a data breach that uncovered the delicate information of 6.4 million prospects.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, security groups are shifting quick to maintain these new providers protected.
This free cheat sheet outlines 7 finest practices you can begin utilizing in the present day.
