Show all guides
Europe
GDPR

CNIL fines Free Mobile and Free €42 million after a 2024 breach exposed 24 million contracts

Last update:
Jan 13, 2026

France’s CNIL issued two sanctions against Free Mobile and Free, totaling €42 million, after an attacker was able to access the personal data of no less than 24 million subscribers. The sensitive information included financial data, such as bank account identifiers (IBANs), making this incident particularly severe and resulting in thousands of customer complaints. In its official statement, the CNIL said that fundamental data security protection measures were lacking, creating relevant weaknesses in VPN access authentication, as well as abnormal behavior monitoring. 

The authority acknowledged the companies’ efforts to improve these and other measures following the incident and investigation. While the companies did reach out to CNIL to report the incident, the authority stated that they did not include the full information required by the GDPR.

The full guidelines can be found
here

Related Guides

Italy fines OpenAI €15 million for privacy violations

December 17, 2024

Italy’s data protection authority fined OpenAI €15 million for GDPR violations related to ChatGPT’s data use and lack of age verification controls.
Europe
GDPR

EDPB finalizes Article 48 guidelines

June 18, 2025

The EDPB adopted final guidelines on Article 48 of the GDPR, clarifying how EU organizations should respond to foreign data requests and when international agreements are required.
Europe
GDPR
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only