Have you ever thought about the consequences of a security breach in a company managing millions of personal data? Imagine the pressure and stakes when realizing that this sensitive information has been compromised. Free, a major player in telecommunications, finds itself in this delicate situation following the cyberattack of October 2024. Discover how this case took a decisive turn with the sanction imposed by the CNIL.
The 3 key facts not to miss
- The CNIL imposed a fine of 42 million euros on Free for GDPR violation.
- 24 million contracts were compromised during the cyberattack, exposing critical personal data.
- Free must strengthen its security measures and review its data management within strict deadlines.
The CNIL sanction
On January 14, 2026, the CNIL announced a massive fine of 42 million euros against Free, a decision made in response to the devastating cyberattack of October 2024. Free Mobile was ordered to pay 27 million euros, while Free must pay 15 million euros. This financial sanction highlights the seriousness of the situation, where flaws in the protection of personal data were identified.
Impact of the cyberattack
The cyberattack exposed 24 million contracts, endangering sensitive information such as customers’ banking details. A CNIL investigation revealed that the hacker was able to access Free’s servers through insufficiently secured VPN connections. Despite the presence of monitoring systems, the intrusion went unnoticed, thus exposing the weaknesses of the company’s security infrastructure.
Crisis management and data protection
Beyond technical flaws, Free’s crisis management was criticized for its lack of clarity and transparency. Although the operator informed its customers by email and set up a toll-free number, these actions were not enough to reassure subscribers or provide them with concrete measures to protect themselves. Furthermore, Free Mobile was criticized for retaining former customers’ data without legitimate reason, thereby increasing security risks.
Upcoming obligations for Free
The CNIL has set strict deadlines for Free to correct its shortcomings. Free Mobile has six months to clean up its obsolete databases. Meanwhile, Free must finalize its new security measures within three months. These requirements aim to ensure that the operator meets the minimum security standards to protect its customers’ personal data.
Context on Free and the CNIL
Free, founded by Xavier Niel, is one of the leading telecommunications providers in France. The company has always been at the forefront of innovation in the sector, but this cyberattack highlights significant cybersecurity challenges.
The CNIL, on the other hand, is the French regulatory authority for data protection. Responsible for ensuring compliance with the GDPR, it plays a crucial role in enforcing privacy protection rules in France. Its recent actions against Free underscore the growing importance of data security in today’s digital environment.
Source: