Excerpt from SC World Article, Published on January 15, 2026
French telecom operators Free and Free Mobile received a combined €42 million fine for serious GDPR violations following a large – scale data breach. The penalty was issued by France’s data protection authority, CNIL, after investigators confirmed multiple security failures that exposed sensitive customer data. The breach occurred in late September 2024. Attackers gained access by exploiting weak VPN authentication controls. They also abused a vulnerability in the company’s internal subscriber management platform. These gaps allowed unauthorized access to personal data belonging to more than 24 million users.
The exposed information included names, email addresses, phone numbers, postal details, and bank identifiers such as IBANs. Such data significantly increases the risk of fraud and identity theft. CNIL stated that the companies failed to implement basic safeguards that could have limited the damage. Investigators found that remote access systems lacked strong security controls. Monitoring mechanisms also failed to detect suspicious activity on time. In addition, the companies retained outdated customer records longer than necessary. This decision increased the amount of data attackers could access.
CNIL also criticized how the companies handled breach notifications. Customer alerts did not clearly explain the risks. They also lacked proper guidance on protective steps. GDPR requires transparency and timely communication during incidents involving personal data. As a result, CNIL imposed a €27 million fine on Free Mobile and a €15 million fine on Free. The authority considered both the scale of the breach and the sensitivity of the exposed data. The French regulator emphasized that telecom providers hold vast amounts of critical user information.
This case sends a strong message across the telecom sector. Organizations must strengthen access controls, improve monitoring, and limit data retention. Failure to do so can lead to severe financial and reputational damage. The French GDPR fine highlights the growing expectations placed on companies that manage large volumes of personal data.
To delve deeper into this topic, Visit SC World.
