Three major GDPR violations, including a lack of basic security controls, lead to hefty dent in profits

The French data protection regulator, CNIL, today issued a collective €42 million ($48.9 million) fine to two French telecom companies for GDPR violations stemming from a data breach.

Free and Free Mobile are two separate businesses, respectively overseeing fixed-line and mobile services, owned by Iliad Group. The fines relate to an October 2024 breach that led to the data of more than 24 million individuals being compromised, including financial information such as IBANs.

In its judgment, CNIL noted that the attack began on September 28, 2024, and the companies were made aware of the intrusion on October 21 via a message from the attacker responsible. Free ousted the attacker from its systems the following day.

The attackers gained access to Free's network via the company VPN before connecting to Free Mobile's subscriber management tool, MOBO. Even though the attacker only gained access to Free Mobile's application ...