Sequenxa

CNIL Fines Free Mobile €42 Million: Breach Notification Failure

January 17, 2026
CNIL Fines Free Mobile €42 Million: Breach Notification Failure
CNIL fined Free Mobile and Free €42M after a 2024 breach exposed data of 24M subscribers, highlighting MFA gaps, delayed breach notification, and retention.
Category:Blog

On 13 January 2026, the French data protection authority (CNIL) imposed cumulative fines totalling €42 million against Free Mobile and Free for serious breaches of the General Data Protection Regulation (GDPR). Free Mobile received a €27 million fine and Free received €15 million. The enforcement action reflects a change in regulatory expectations: compliance with data security, breach notification, and data retention obligations is now treated as a policy exercise.




Did you know? According to ENISA, over 60% of major GDPR fines issued since 2023 involve inadequate security controls, rather than unlawful processing alone.


“Weak authentication remains one of the most exploited entry points in large-scale breaches, particularly in environments processing high volumes of personal data.”



What Happened: The October 2024 Data Breach


In October 2024, an attacker infiltrated the information systems of both companies, gaining access to personal data relating to 24 million subscriber contracts. The attack began on 28 September and continued until 21 October, when the attacker announced the breach publicly. The exposed data included names, postal addresses, phone numbers, dates of birth, email addresses, and for approximately 6 million individuals, International Bank Account Numbers (IBANs).


The attacker exploited weak VPN authentication to gain remote access, then used Free Mobile's subscriber management tool (MOBO) to extract records from both entities. IBAN exposure is particularly significant because it facilitates fraud and unauthorised financial transactions. More than 2,500 affected individuals filed complaints with the CNIL, triggering a formal investigation.




Example: A comparable incident occurred in the telecom sector when attackers exploited single-factor VPN access to exfiltrate customer billing databases over several weeks, demonstrating how perimeter-only security controls fail at scale when identity-based protections are absent.


If multi-factor authentication had been enforced on all remote access points, how much of this breach’s impact could realistically have been prevented?



Why the Fine: Three Major GDPR Violations



Violation 1: Article 32: Inadequate Security Measures


The CNIL found that Free Mobile and Free failed to implement security measures proportionate to the risks created by processing data on millions of subscribers.


Weak VPN Authentication. The companies had not implemented robust authentication for remote access. Multi-factor authentication (MFA), requiring two or more forms of identification, is now a baseline expectation in GDPR enforcement. The companies relied on weaker authentication, allowing the attacker to gain network access without substantial barriers.


Ineffective Monitoring. The companies lacked adequate systems to detect abnormal behaviour on their networks. When an attacker gains access, the ability to identify unusual login patterns, excessive data downloads, or unauthorised system access becomes critical. The CNIL found that Free Mobile and Free had no such detection capability, allowing the attacker to extract millions of records undetected over several weeks.


The CNIL emphasised that while organisations cannot eliminate all security risks, appropriate measures significantly reduce breach probability and limit severity.


Violation 2: Article 34: Inadequate Breach Notification


Article 34 requires that data subjects be notified without undue delay in "clear and plain language," with specific information about the breach consequences and protective actions they can take.


Free Mobile and Free notified affected individuals via email and provided a toll-free number and online request system. However, the CNIL found the initial email lacked necessary information. It did not adequately explain the specific consequences of the breach, particularly the financial risk posed by IBAN exposure, nor did it clearly describe protective steps individuals could take, such as monitoring bank accounts or contacting their financial institution.


Breach notifications must convey specific risks tied to the data exposed, not merely acknowledge that a breach occurred.


Violation 3: Article 5(1)(e): Excessive Data Retention


Free Mobile violated the storage limitation principle by retaining personal data of millions of former subscribers without sorting which records should be kept for legitimate purposes and which should be deleted.


The company had not implemented processes to retain only data necessary for accounting purposes (typically 10 years in France) and delete other historical customer records. During the investigation, Free Mobile began implementing a systematic deletion process, but the violation occurred because retention was not operationalised before the breach. Data retention must be an active compliance obligation, not a static policy.




Did you know? ENISA reports that over 70% of large data breaches in Europe show evidence of delayed detection, often exceeding 30 days.


Conduct a gap analysis to assess whether your monitoring and logging controls would surface suspicious activity in real time.



The Financial Penalty and Remediation Orders


The CNIL imposed €27 million on Free Mobile and €15 million on Free, considering the companies' financial capacity, their lack of knowledge of essential security principles, the number of affected individuals (24 million), the highly personal nature of the data (including IBANs), and the direct financial risks posed.


Both companies received remediation orders: security measures within three months of notification, and data retention sorting and deletion within six months.




Example: Several organisations fined in recent years avoided higher penalties by demonstrating that remediation measures were already operational before regulatory intervention.


Should financial penalties scale more aggressively when remediation begins only after regulatory investigation?



What This Means for Your Organisation: Three Key Takeaways



1. Security baseline is non-negotiable. Multi-factor authentication for remote access, automated monitoring systems, and network segmentation are no longer optional enhancements, they are baseline requirements proportionate to the volume and sensitivity of personal data processed.


2. Breach notification must disclose specific risks. Communications must explain how the exposed data types pose concrete harm to individuals and what protective actions they should take.


3. Data retention is operational, not documentary. Organisations must embed retention policies in technical systems with scheduled, systematic deletion processes. Retention policies kept in spreadsheets or subject to periodic manual review do not satisfy GDPR expectations.




Did you know? A European Commission study found that nearly 50% of organisations retain personal data longer than necessary due to system limitations, not legal requirements.


“Retention compliance fails when deletion is optional rather than automated.”



Broader Regulatory Context: Telecom Sector Under Scrutiny


The Free Mobile and Free enforcement action reflects a broader pattern of regulatory scrutiny on telecommunications providers. In 2025, Orange France and Bouygues Telecom disclosed significant breaches affecting millions of customers. The €42 million penalty signals that security failures in organisations processing subscriber data at scale will result in substantial penalties.


For compliance officers in telecommunications and data-intensive sectors, key self-assessment questions include:


Does your organisation enforce multi-factor authentication for all remote access?


Do you operate centralised logging and real-time alerting to detect unusual data access?


Have you mapped personal data holdings by retention period justified by business necessity?


Do you test breach notification templates for clarity with non-technical individuals?




“Scale amplifies risk. Telecoms must design security for millions of users, not average scenarios.”



FAQs


Why was Free Mobile fined €42 million by the CNIL?

The CNIL imposed a CNIL sanction after finding that Free Mobile and Free violated GDPR Article 32, Article 34, and data retention obligations following a major telecom breach.


What data was exposed in the Free Mobile October 2024 breach?

The Free Mobile October 2024 breach exposed subscriber names, contact details, dates of birth, and for around six million individuals, IBAN exposure, creating significant fraud risk.


How did weak VPN security contribute to the data breach?

The attacker exploited weak VPN authentication without multi-factor controls, enabling unauthorised access to internal systems and large-scale data extraction during the security incident.


Which GDPR security requirements did the CNIL find were violated?

The French regulator concluded that the companies failed to meet GDPR Article 32 security requirements by lacking strong authentication, effective monitoring, and proportionate safeguards for sensitive subscriber data.


Why was the breach notification considered inadequate under GDPR Article 34?

The breach notification did not clearly explain the concrete financial risks linked to IBAN exposure or provide sufficient guidance on protective actions, breaching GDPR Article 34 obligations.


What does this GDPR fine mean for telecom companies in France going into 2026?

This telco fine 2026 confirms that GDPR enforcement actions 2025–2026 will treat cybersecurity, data retention GDPR, and data breach response failures as core operational risks, not procedural lapses.



Regulatory Expectations Have Changed


The CNIL fine on 13 January 2026 exemplifies current regulatory standards in European data protection enforcement. Organisations processing personal data on millions of individuals must implement security, notification, and retention practices proportionate to the risks they create. The €42 million penalty reflects that regulators now impose substantial fines for failures affecting millions of individuals. This decision provides clarity on baseline GDPR compliance expectations across the European Union.


Reassess your GDPR compliance posture against current enforcement trends before regulators do it for you. If you were referred here, further context is available on our website.




References


CNIL. (2026). Data breach: FREE MOBILE and FREE fined €42 million. Retrieved from https://www.cnil.fr/en/sanction-free-2026


Lexology. (2026). French telecom operators slapped with €42 million GDPR fine. Retrieved from https://www.lexology.com/pro/content/french-telecom-operators-slapped-eu42-million-gdpr-fine


Bleeping Computer. (2026). France fines Free Mobile €42 million over 2024 data breach incident. Retrieved from https://www.bleepingcomputer.com/news/security/france-fines-free-mobile-42-million-over-2024-data-breach-incident/amp/


The Register. (2026). France fines telcos €42M for issues leading to 2024 breach. Retrieved from https://www.theregister.com/2026/01/14/france_fines_free_free_mobile/


ICLG. (2026). Free Mobile and Free fined €42 million for GDPR failings. Retrieved from https://iclg.com/news/23444-free-mobile-and-free-fined-eur-42-million-for-gdpr-failings/amp


Ground News. (2026). Theft of customers’ personal data: a record €42 million fine for Free. Retrieved from https://ground.news/article/theft-of-customers-personal-data-a-record-42-million-fine-for-free




More Briefings