Image: Samuel Boivin / Shutterstock.com

Hacker attack becomes an expensive lesson: €42 million fine for data protection breaches

French telecommunications company Free and its mobile subsidiary Free Mobile are currently experiencing how a cyberattack can turn into a costly data protection disaster. Following a serious security incident in October 2024, in which the personal data of around 24 million customers fell into the wrong hands, the French data protection authority CNIL has now sent a clear message: a fine of €42 million – divided into €27 million for Free Mobile and €15 million for its parent company Free.

However, it was not only the attack itself, but above all the companies' behavior after the incident that brought them to the attention of the supervisory authority.

What happened? Data leak due to weak security measures

In October 2024, unknown attackers gained access to the internal systems of Free and Free Mobile. Names, addresses, and in many cases even customers' IBANs were affected. What makes the matter particularly explosive is that the attackers apparently gained access via inadequately secured VPN connections, such as those used in home offices.

The internal security systems also failed to respond or responded too late. The data leak went unnoticed for too long—a clear violation of the General Data Protection Regulation (GDPR), according to the CNIL. This is because companies must not only protect data, but also be able to detect and prevent unusual access. Both of these measures clearly failed in this case.

Criticism: Information policy "inadequate," data storage "excessive"

The CNIL was particularly upset about how those affected were treated. Although customers were informed by email, the authority felt that crucial information was missing, such as the specific type of data stolen and the potential risks. This was a serious omission, especially in the case of bank details, as it meant that those affected were unable to adequately protect themselves against phishing or identity theft.

Another point of criticism: Free Mobile had stored data from former customers for years without any legal necessity. According to the GDPR, it is clearly regulated that data may only be stored for as long as it is needed for its original purpose. Anything else is inadmissible—and in this case, it significantly exacerbated the extent of the data leak.

Penalty with notice – and deadlines for rectification

The CNIL showed no mercy when calculating the fine. It justified the amount of the penalty on the basis of the large number of people affected, the high risk posed by the stolen data, and the economic strength of the company.

According to CNIL, Free and Free Mobile have now closed the initial security gaps. But that's not the end of it:

• Further security measures must be implemented within three months.
• Free Mobile still has six months to delete old customer data.

What we say about this

The fact that a mobile phone giant is putting millions of customers at risk due to poor security standards and sloppy data management is not only a damning indictment—it is a threat to the entire market. Data protection is not an optional feature, but an obligation. And anyone who handles sensitive data such as IBANs must be better protected than a refrigerator in a technical warehouse. This penalty hurts—and that's how it should be. We can only hope that it will trigger not just panic among other providers, but real pressure to take action.

Source: heise.de