FrEnCookies manager
FrEnCookies manager
  1. Home
  2. Data breach: FREE MOBILE and FREE fined €42 million

Data breach: FREE MOBILE and FREE fined €42 million

14 January 2026

On 13th January 2026, the CNIL issued two sanction decisions against FREE MOBILE and FREE, imposing fines of €27 million and €15 million respectively, given the inadequacy of the measures taken to ensure the security of their subscribers' data.

Background information

In October 2024, an attacker managed to infiltrate the companies' information system and access personal data relating to 24 million subscriber contracts, including IBANs for individuals who were customers of both FREE MOBILE and FREE.

Following a large number of complaints (more than 2,500 to date) from individuals affected by this data breach, the CNIL carried out an inspection which revealed breaches of several obligations under the General Data Protection Regulation (GDPR) attributable to FREE MOBILE and FREE, each of which is the data controller for its own subscribers.

As a result, the restricted committee – the CNIL body responsible for imposing sanctions – imposed a fine of €27 million on FREE MOBILE and a fine of €15 million on FREE, taking into account in particular their financial capacities, their lack of knowledge of essential security principles, the number of people affected and the "highly" personal nature of the data concerned, as well as the risks posed by the breach of certain data (IBAN).

The breaches sanctioned for FREE and FREE MOBILE

A breach of the obligation to ensure the security of personal data (Article 32 of the GDPR)

The restricted committee found that, on the day of the data breach, the companies had not implemented certain basic security measures that could have made the attack more difficult.

In particular, it noted that the authentication procedure for connecting to the VPNs of FREE MOBILE and FREE – used in particular for remote working by the companies' employees – was not sufficiently robust. Furthermore, the measures deployed by FREE MOBILE and FREE to detect abnormal behaviour on their information systems were ineffective. 

Given the amount and nature of the data processed, the restricted committee considered that the security measures deployed by the companies to ensure confidentiality were inadequate. It pointed out that, although it is impossible to eliminate all risks, these measures can reduce their probability and, when necessary, limit their severity.

The restricted committee also noted that the companies had taken several measures during the proceedings to strengthen their level of security. It ordered them to complete the implementation of these new measures within three months.

A breach of the obligation to notify data subjects of the data breach (Article 34 of the GDPR)

The CNIL found that the companies had informed the individuals affected by the data breach through two levels of communication:

  • at the first level, an information email;
  • at te second level, a toll-free number and an internal system for managing requests to the data protection officer.

However, the restricted committee considered that the email sent did not contain all the necessary information referred to in paragraph 2 of Article 34 of the GDPR, ruling that these omissions did not allow the individuals concerned to directly understand the consequences of the breach, nor the measures they could take to protect themselves from them.

A breach by FREE MOBILE of its obligation to retain personal data for a limited period (Article 5-1-e of the GDPR)

The CNIL noted that, on the date of the inspection, the company had not implemented measures to sort the data of former subscribers in order to retain only those necessary for accounting purposes and then delete them when their retention was no longer necessary.

The restricted committee reminded the company that it is required to sort through the data to be retained after a certain period and to ensure that the data is deleted at the end of its retention period. Based on the findings of the inspection and the company's statements, it considered that FREE MOBILE had retained millions of pieces of data regarding its subscribers without justification for an excessive period of time.

During the proceedings, the company began sorting the data in order to retain for ten years only the data necessary to comply with its accounting obligations and deleted some of the data that had been retained for an excessive period.

The restricted committee ordered the company to complete the sorting and purging of data within six months of notification of the decision.

Texte reference

Deliberations

Texte reference

Reference texts

Texte reference

Read more

This can also interest you ...

Data security: NEXPUBLICA FRANCE fined €1,700,000

24 December 2025

 Sanctions
Data breach: MOBIUS SOLUTIONS LTD fined €1 million

19 December 2025

 Sanctions
Cookies: AMERICAN EXPRESS fined €1.5 million by the CNIL

03 December 2025

 Sanctions