France Fines Telcos €42 Million

France Fines Telcos €42 Million for Sub-Par Security Ahead of 24 Million-Customer Breach www.theregister.com/2026/01/1… France’s data protection regulator, CNIL, has issued a combined €42 million ($48.9 million) fine against two French telecommunications companies for GDPR violations related to a major data breach. The companies — Free and Free Mobile — operate as separate entities providing fixed-line and mobile services, respectively, and are both owned by the Iliad Group. The penalties stem from an October 2024 breach that resulted in the compromise of personal data belonging to more than 24 million individuals, including sensitive financial information such as IBANs. In its ruling, CNIL stated that the attack began on Sept. 28, 2024. The companies became aware of the intrusion on Oct. 21 after receiving a message from the attacker. Free removed the attacker from its systems the following day. According to the regulator, the attacker initially accessed Free’s network through the company’s VPN and then connected to Free Mobile’s subscriber management platform, MOBO. At the time of the incident, MOBO allowed users to search and retrieve data for customers of both Free and Free Mobile — including IBANs — provided they were active subscribers.