The case dates back to the fall of 2024, but its consequences continue to accumulate. At the beginning of the week, during a session of the restricted training of the CNIL (the body responsible for pronouncing sanctions), the rapporteur Fabien Tarissan requested two public fines against Free, according to The Letter et The Echoes. Total amount: 48 million euros. In detail, 33 million euros would target Free Mobile, an entity directly affected by the October 2024 leak, and 15 million euros the parent company Iliad.
Record sanction in sight
At the time, cybercriminals had gotten their hands on the data of 19.2 million subscribers, including around 5.1 million IBANs. A volume which places this incident among the most serious recorded in France. A year later, the perpetrator(s) of the hack are still at large, while the data remains exploitable for fraud and phishing campaigns.
The procedure initiated by the CNIL follows an in-depth inspection, triggered after the leak was revealed. The regulator then considered that sufficiently serious breaches justified the opening of a sanction procedure. According to The Letterthe rapporteur highlighted several grievances, in particular the retention of very old data linked to contracts terminated more than ten years ago, as well as flaws in the security of internal access, in particular VPNs.
On Free’s side, there is official silence, but for certain observers, the sanction appears ” absolutely disproportionate » with regard to previous files. In 2018, Uber was fined 400,000 euros after the data of 57 million users was compromised. More recently, in 2024, Ledger was fined up to 750,000 euros, in a decision which had not been made public.
The contours of the attack have gradually become more or less clarified. At the end of 2024, Free mentioned “unauthorized access” following the hacking of a management tool, without giving further details. The affair quickly had concrete effects for subscribers, with an upsurge in scams based on credible information, and for good reason. The CNIL has also received more than 2,000 complaints on the subject. Free claims to have since corrected all of the shortcomings noted by the regulator. Access to customer data while working remotely has been suspended, compromised identifiers revoked and replaced. There now remains the final arbitration of the CNIL. Verdict expected in early 2026.
🟣 To not miss any news on the WorldOfSoftware, follow us on Google and on our WhatsApp channel. And if you love us, .
