Free Mobile Fined EUR 42M After 24.6 Million Customer Records Stolen

• .What: Attacker exploited weak VPN authentication to access a subscriber management tool and exfiltrate 43.6GB of customer data over 15 days undetected.
• .Who: Free Mobile and Free SAS (Iliad Group, EUR 10B revenue), France's second-largest telecom. 19.2 million unique individuals across 24,633,469 customer contracts.
• .How: VPN access without multi-factor authentication, then lateral movement to MOBO subscriber management tool. No effective anomaly detection.
• .Data: Full names, email addresses, physical addresses, phone numbers, dates of birth, genders, account details, and 5.11 million IBAN bank account numbers with BIC codes.
• .Actor: "drussellx" (BreachForums). Extortion-motivated. Data listed for auction at $175,000 but never sold. Dataset later leaked publicly (added to Have I Been Pwned May 27, 2025, 13.9M accounts).
• .Impact: EUR 42M CNIL fine (EUR 27M Free Mobile + EUR 15M Free). 2,500+ individual complaints. Phishing wave targeting victims in January 2026. Appeal pending before Conseil d'Etat.

Between September 28 and October 22, 2024, a threat actor infiltrated the networks of Free Mobile and Free SAS, both subsidiaries of Iliad Group, France's second-largest telecommunications operator with EUR 10 billion in annual revenue and 50.5 million subscribers across France, Italy, and Poland.

Founded by Xavier Niel, Iliad was delisted from Euronext Paris in October 2021 after Niel's squeeze-out at EUR 182 per share.

The attacker gained initial access through the corporate VPN, which lacked multi-factor authentication. " Once inside, the attacker moved laterally to MOBO, Free Mobile's subscriber management tool.

A critical architectural flaw in MOBO allowed searching customer data for both Free Mobile and Free SAS subscribers - including their IBANs - through a single interface, effectively doubling the breach's scope.

Active data exfiltration began on October 6 and continued for 15 days. Neither company detected the intrusion. Free learned of the breach on October 21 - not from its own monitoring, but from a message sent by the attacker.

Free removed the attacker on October 22 and notified CNIL on October 23. The post-mortem revealed 24,633,469 compromised contracts: 19,460,891 Free Mobile and 5,172,577 Free fixed-line.

On October 17 - four days before Free discovered the breach - the data had already appeared on BreachForums.

The threat actor "drussellx" offered 43.6GB for auction, then claimed it sold for $175,000. A second actor, "YuroSh," later confirmed to DataBreaches.net that no sale occurred - the auction and "sold" posts were extortion pressure tactics.

Despite these claims, the dataset was eventually leaked publicly: Have I Been Pwned added 13.9 million accounts on May 27, 2025.

In January 2026, a wave of personalized phishing emails targeted Free customers, leveraging the stolen data - including exact IBANs - for credential harvesting and financial fraud.

The attacker "drussellx" posted the stolen dataset on BreachForums on October 17, 2024. A second actor "YuroSh" was also involved, with different motivations - drussellx sought financial extortion while YuroSh appeared motivated by hacktivism.

Neither successfully monetized the data through sale; the $175,000 claim was confirmed as an extortion pressure tactic.

The stolen dataset covered 19.2 million unique individuals across 24,633,469 contracts: full names, email addresses (14M unique per HIBP), physical addresses, phone numbers, dates of birth, genders, user IDs and logins, service offer details, account statuses, contract details, service activation dates, Freebox device identifiers, 5.11 million IBAN bank account numbers, and BIC codes.

Passwords, bank card numbers, and communication contents were NOT compromised.

The IBAN exposure is particularly dangerous. While Free downplayed the risk, the combination of IBANs with full names, addresses, dates of birth, and phone numbers enables highly targeted social engineering.

Under EU SEPA rules, victims have 13 months to dispute unauthorized direct debits - but only if they detect the fraud.

1. No multi-factor authentication on VPN. The corporate VPN relied on single-factor authentication. CNIL's rapporteur specifically cited the absence of MFA. ANSSI publishes standing guidance recommending strong MFA for VPN access.

2. Overly permissive VPN connection scoring. The scoring mechanism failed to flag or block suspicious access patterns, allowing the attacker to maintain persistent access for 24 days (Sept 28 - Oct 22).

3. Inadequate password storage for MOBO users. Password storage did not meet minimum security requirements.

4. Architectural flaw in MOBO - cross-entity data access. MOBO allowed any authenticated user to query customer data across both Free Mobile and Free SAS, including IBANs. No data segmentation between entities.

5. No effective anomaly detection. 43.6GB exfiltrated over 15 days without triggering a single alert. CNIL found the anomaly detection measures "ineffective."

6. Discovery via attacker notification. Free learned of the breach from the attacker's own message - four days after the data had already been posted on BreachForums.

7. Excessive data retention. Free Mobile retained data from more than 15 million terminated contracts older than five years, including approximately 3 million cancelled more than 10 years ago. This data served no operational purpose.

Its unnecessary retention exposed millions of former customers who should never have been at risk.

• .GDPR Article 32 (Security of Processing) - Primary basis. No MFA on VPN, ineffective anomaly detection, inadequate password storage. Applied to both entities.

• .GDPR Article 5(1)(e) (Storage Limitation) - Free Mobile retained 15M+ terminated contracts beyond legal limits, including ~3M over 10 years. Applied to Free Mobile only - this is why Free Mobile's fine (EUR 27M) exceeds Free's (EUR 15M).

• .GDPR Article 34 (Communication to Data Subjects) - Breach notification emails omitted required Article 34(2) information. Affected individuals could not understand consequences or protective measures.

• .GDPR Article 5(1)(f) (Integrity and Confidentiality) - Implicit in Article 32 finding.

• .Fine calculation: CNIL considered Iliad's EUR 10B turnover and EUR 367M profit, severity of basic failures, scale (one-third of France), financial data sensitivity (IBANs), and 2,500+ complaints. Maximum theoretical: EUR 400M (4% of EUR 10B). The EUR 42M represents 0.42% of turnover.

• .Prior enforcement: CNIL fined Free EUR 300,000 in November 2022 for cleartext password storage and rights violations. The 2024 breach demonstrates Free did not materially improve its security posture.

• .Remediation orders: Security improvements within 3 months; data purge within 6 months.

• .NIS2: As a telecom provider, Free qualifies as an essential entity under NIS2, triggering additional incident reporting and cybersecurity requirements.

• .Appeal: Iliad will appeal to the Conseil d'Etat, calling the sanctions "completely disproportionate."

The EUR 42M is the largest CNIL fine ever imposed for a cyberattack-caused breach (vs. cookie/transfer violations). CNIL imposed EUR 486.8M across 83 sanctions in 2025 - nearly nine times the EUR 55.2M from 87 sanctions in 2024 - signaling a dramatic enforcement escalation.

1. Deploy phishing-resistant MFA on all VPN access. FIDO2 hardware keys or certificate-based authentication. ANSSI recommends this as baseline. Would have prevented initial access entirely.

2. Segment MOBO data access by entity and role. A Free Mobile agent should not query Free SAS IBAN data. Role-based access with least privilege.

3. Deploy real-time anomaly detection for bulk data access. 43.6GB over 15 days should trigger automated alerts within hours.

4. Implement DLP at application and network layers. Block unauthorized bulk exports of customer PII, particularly financial data.

5. Enforce data retention with automated purging. Contracts terminated beyond the retention period should be automatically purged. 15 million stale records is storage limitation negligence.

6. Implement adequate breach notification. Pre-draft Article 34-compliant templates with all required information. The January 2026 phishing wave demonstrates the cost of inadequate notification.

CNIL Deliberation SAN-2026-001 (Legifrance), CNIL Press Release, BleepingComputer, The Register, The Record, CyberInsider, DataBreaches.net, Bitdefender, ICLG, Mondaq, ComplianceHub, SC Media, Have I Been Pwned, MLex, Cybernews, ANSSI General Recommendations