Ultimate Guide: France Fines Free Mobile €42 Million Over 2024 Data Breach Incident

The French data protection authority (CNIL) has imposed cumulative fines of €42 million on Free Mobile and its parent company, Free, for inadequate protection of customer data against cyber threats.

The hackers targeted the firm’s management tool and stole sensitive customer information to sell it later on a hacker forum. The offer came from an account named 'drussellx' and claimed that the attack impacted 19.2 million customers, and that the details included IBANs for roughly 25% people.

Following an investigation into the incident, CNIL concluded that, despite Free improving its cybersecurity stance after the incident, its previous negligence violated several GDPR rules.

Specifically, the following violations have been found:

The CNIL ordered both companies to complete their newly implemented security measures within three months, and required Free Mobile to finish sorting and removing excess customer data within six months.

After the breach at Free Mobile, France experienced more customer-exposing or service-disrupting incidents on large telecommunication service providers.

In July 2025, Orange France announced that it had detected a breach on its systems, causing operational disruptions. A month later, Bouygues Telecom suffered a data breach that exposed the sensitive data of 6.4 million customers.

As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.

This free cheat sheet outlines 7 best practices you can start using today.

UK fines LastPass over 2022 data breach impacting 1.6 million users

Source: BleepingComputer