The French knowledge safety authority (CNIL) has imposed cumulative fines of €42 million on Free Cell and its mum or dad firm, Free, for insufficient safety of buyer knowledge in opposition to cyber threats.
The corporate is the second-largest web service supplier in France and suffered a knowledge breach in October 2024, exposing data of practically 23 million cellular and stuck subscribers.
The hackers focused the agency’s administration instrument and stole delicate buyer data to promote it in a while a hacker discussion board. The provide got here from an account named ‘drussellx’ and claimed that the assault impacted 19.2 million clients, and that the small print included IBANs for roughly 25% individuals.
Following an investigation into the incident, CNIL concluded that, regardless of Free bettering its cybersecurity stance after the incident, its earlier negligence violated a number of GDPR guidelines.
“Following numerous complaints (greater than 2,500 thus far) from people affected by this knowledge breach, the CNIL carried out an inspection which revealed breaches of a number of obligations below the Basic Knowledge Safety Regulation (GDPR) attributable to FREE MOBILE and FREE, every of which is the info controller for its personal subscribers,” the French company stated
Particularly, the next violations have been discovered:
- Failure to make sure knowledge safety (Article 32 GDPR) – Free Cell and Free had insufficient safety measures in place, together with weak VPN authentication for workers’ distant entry and ineffective detection of irregular exercise, which which enabled the assault.
- Failure to correctly inform affected people of the breach (Article 34 GDPR) – Though the businesses notified customers, the emails lacked detailed data and didn’t clearly clarify the implications of the breach or what steps ought to be taken to mitigate the danger.
- Extreme retention of non-public knowledge (Article 5(1)(e) GDPR) – Free Cell saved private knowledge of thousands and thousands of former subscribers for an extended interval than was needed, and didn’t type or delete it in due time, past what was justified for accounting functions.
The CNIL ordered each corporations to finish their newly carried out safety measures inside three months, and required Free Cell to complete sorting and eradicating extra buyer knowledge inside six months.
After the breach at Free Cell, France skilled extra customer-exposing or service-disrupting incidents on giant telecommunication service suppliers.
In July 2025, Orange France introduced that it had detected a breach on its techniques, inflicting operational disruptions. A month later, Bouygues Telecom suffered a knowledge breach that uncovered the delicate knowledge of 6.4 million clients.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, safety groups are transferring quick to maintain these new providers protected.
This free cheat sheet outlines 7 greatest practices you can begin utilizing at the moment.
