CNIL Fines Iliad Subsidiaries Free and Free Mobile for Security Failures Behind 2024 Data Breach
France’s data protection regulator CNIL issued a collective €42 million fine against Iliad Group subsidiaries Free and Free Mobile for GDPR violations tied to an October 2024 breach that exposed personal data for more than 24 million individuals, including sensitive financial identifiers such as IBANs. CNIL cited the scale and sensitivity of the compromised data, as well as the companies’ profits, in setting penalties of €27 million for Free and €15 million for Free Mobile.
Regulators said the intrusion was enabled by inadequate security controls, including a weak VPN authentication process and insufficient monitoring to detect anomalous activity. Reporting indicates the attacker accessed Free’s network via the corporate VPN, then reached Free Mobile’s subscriber management tool MOBO, which at the time allowed searches across both Free and Free Mobile customer datasets; exfiltration reportedly began in early October 2024 after initial access in late September. CNIL also faulted the companies for insufficient breach communications to impacted customers and for improper data retention (including retaining former subscribers’ data), while noting remediation steps have been initiated and further security improvements were ordered.
Related Entities
Sources
Related Stories
Nexpublica France Fined for Inadequate Security After Data Breach
France’s data protection authority, CNIL, imposed a €1.7 million ($2 million) fine on the software company Nexpublica France following a data breach that exposed sensitive documents of third parties through a company portal. The breach, reported in November 2022, allowed users to access documents belonging to other individuals, prompting an investigation by CNIL, which found that Nexpublica’s data security program was insufficient and failed to meet basic security standards. The regulator cited several aggravating factors in determining the fine, including Nexpublica’s lack of awareness of fundamental security principles, the number of people affected, the sensitivity of the exposed data, and the company’s financial capacity. CNIL also noted that Nexpublica was aware of the security issues prior to the breach but did not take corrective action until after the incident, constituting a violation of the General Data Protection Regulation (GDPR).
2 months ago
CNIL Fines France Travail €5 Million After Social-Engineering Breach Exposed Job Seeker Data
France’s data protection authority **CNIL** fined public employment agency **France Travail** €5 million for failing to implement security measures appropriate to the risk (citing **GDPR Article 32**) after attackers accessed job-seeker data via **social engineering**. Investigators said the attackers compromised accounts used by staff at **Cap emploi** (a partner organization), and that existing safeguards did not sufficiently reduce the risk of unauthorized access through compromised accounts. The intrusion enabled access to personal data associated with roughly **43 million** people, including current registrants, former registrants going back about **20 years**, and individuals with candidate profiles on `francetravail.fr`. Exposed data included **social security/national insurance numbers**, names and dates of birth, and contact details (email, postal address, phone); reporting noted the breach did **not** include bank details or account passwords and did not provide complete job-seeker files. CNIL ordered France Travail to provide evidence and a schedule of corrective actions, backed by a conditional **€5,000/day** penalty for non-compliance.
1 months ago
Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker **accessed and consulted data tied to ~1.2 million French bank accounts** by using **stolen login credentials** belonging to an authorized government user of the national bank account registry (*FICOBA*). The intrusion began in **late January 2026** and exposed account-linked personal data including **IBANs**, account holder **names**, **addresses**, and in some cases **tax identification numbers** (DGFiP-issued). Authorities stated the access did **not** enable viewing balances or initiating transactions. After detection, the ministry reported it **blocked the attacker**, notified France’s data protection authority (**CNIL**), and **filed a criminal complaint**; impacted individuals are expected to be contacted directly, and **banks were alerted** to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting **La Poste/La Banque Postale** and the **Interior Ministry**), though no motive or attribution for the FICOBA access has been publicly confirmed.
3 weeks ago