On January 13, 2026, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), issued one of its most significant enforcement actions to date: a combined €42 million fine against Free Mobile (€27 million) and its sister company Free SAS (€15 million). The penalty stems from an October 2024 data breach that exposed personal information—including sensitive financial data—belonging to 24 million subscriber contracts.

This landmark decision sends a clear message to organizations across Europe and beyond: basic security hygiene failures will no longer be tolerated, data hoarding carries real consequences, and breach notifications must be meaningful. For compliance professionals, IT leaders, and executives worldwide, the Free Mobile case offers a masterclass in what not to do—and a roadmap for avoiding similar regulatory catastrophe.

The Breach: How Attackers Exploited Fundamental Weaknesses

The attack that triggered CNIL’s enforcement action began on September 28, 2024. A threat actor, later identified on cybercrime forums as “drussellx,” successfully infiltrated Free’s corporate network through what CNIL investigators would later characterize as inadequate VPN authentication mechanisms.

The Attack Timeline

The breach unfolded over nearly a month before detection:

  • September 28, 2024: Initial unauthorized access gained via corporate VPN- October 6, 2024: Attackers begin systematic data exfiltration- October 17, 2024: Stolen data appears on BreachForums with sample files proving authenticity- October 21, 2024: Free becomes aware of the intrusion—via a message from the attacker- October 22, 2024: Company removes attacker from systems

The fact that Free learned of the breach from the attacker—not their own security monitoring—speaks volumes about the detection failures that CNIL later highlighted in its decision.

What Was Stolen

The scope of compromised data was staggering:

  • 24,633,469 total subscriber contracts affected19,460,891 Free Mobile contracts- 5,172,577 Free (fixed-line) contracts Personal identification information: Names, addresses, contact detailsSensitive financial data: IBANs (International Bank Account Numbers) for customers subscribed to both servicesAccount credentials and service history The inclusion of IBAN numbers particularly concerned regulators, as this banking information could enable fraud, unauthorized direct debits, or targeted phishing campaigns against affected individuals.

CNIL’s Findings: Three Critical GDPR Violations

CNIL’s investigation, launched in response to over 2,500 complaints from affected individuals, identified three distinct categories of GDPR violations. Each represents a failure that organizations across all sectors should examine carefully.

Violation 1: Failure to Ensure Data Security (Article 32 GDPR)

The most damning finding was that basic security measures were simply absent or ineffective on the day of the breach. CNIL’s restricted committee—the body responsible for imposing sanctions—found multiple security failures that “could have made the attack more difficult.”

VPN Authentication Failures

Both Free Mobile and Free operated VPN systems for remote employee access. These VPNs lacked “sufficiently robust” authentication procedures. In an era when multi-factor authentication (MFA) has become standard practice, the absence of strong VPN authentication represents a fundamental security oversight.

The implications extend beyond Free. Organizations that still rely on single-factor authentication for VPN access—particularly username and password combinations—face similar vulnerability. The 2024 attack landscape has demonstrated repeatedly that compromised credentials are among the most common initial access vectors for threat actors.

Detection System Failures

Perhaps more troubling was CNIL’s finding that the companies’ measures to detect abnormal behavior on their information systems “were ineffective.” Despite security investment, Free could not identify:

  • Unusual VPN connection patterns- Abnormal access to the MOBO subscriber management system- Mass data extraction occurring over two weeks

The attacker’s ability to exfiltrate data from October 6 through October 21 without triggering alerts suggests either inadequate monitoring coverage, poorly tuned detection rules, or insufficient security operations center (SOC) capabilities.

The “MOBO” System Architecture Flaw

A critical architectural weakness amplified the breach’s scope. Free Mobile’s subscriber management tool, MOBO, allowed users to search for data belonging to customers of both Free and Free Mobile—including their IBANs—provided they were subscribers of services. This design meant that compromising Free Mobile’s systems exposed data from both companies, effectively doubling the impact.

Violation 2: Inadequate Breach Notification (Article 34 GDPR)

GDPR requires organizations to notify affected individuals of data breaches “without undue delay” when the breach is likely to result in high risk to their rights and freedoms. The notification must include specific information to help individuals protect themselves.

Free and Free Mobile did notify customers through a two-tiered approach:

  1. An initial notification email2. A toll-free number and internal system for data protection officer inquiries

However, CNIL ruled that the email notifications failed to meet Article 34 requirements. The communications:

  • Did not contain all necessary information specified in GDPR Article 34(2)- Failed to help individuals “directly understand the consequences of the breach”- Did not adequately explain measures individuals could take to protect themselves

This finding underscores a common organizational mistake: treating breach notifications as legal checkboxes rather than meaningful communications designed to protect affected individuals. When millions of IBANs are exposed, vague notifications that don’t explain the specific risks of banking fraud or identity theft fail both the letter and spirit of GDPR.

Violation 3: Excessive Data Retention (Article 5(1)(e) GDPR)—Free Mobile Specific

The €27 million fine against Free Mobile (higher than Free’s €15 million) partly reflects an additional violation: systematic failure to comply with data minimization and storage limitation principles.

CNIL found that Free Mobile:

  • Had not implemented measures to sort former subscriber data- Failed to retain only information necessary for accounting purposes- Lacked mechanisms to delete data when retention was no longer necessary- Kept “millions of pieces of data regarding its subscribers without justification for an excessive period of time”

This finding demolishes the common corporate practice of retaining customer data indefinitely “just in case.” The breach exposed not only current customers but years of former subscribers whose data should have been purged.

The calculus is straightforward: every piece of data you retain is potential breach exposure. Free Mobile’s data hoarding transformed a significant breach into a catastrophic one, affecting far more individuals than necessary.

Why €42 Million? Understanding the Fine Calculation

CNIL considered multiple factors when determining the penalty:

  • Financial capacity: Iliad Group (parent company) reported €10 billion in revenue and €367 million profit in 2024- Severity of violations: Basic security measures absent; not sophisticated attacks exploiting zero-days- Scale of harm: 24 million contracts affected—representing a substantial portion of the French population- Nature of data: “Highly personal” information including financial data (IBANs) creating tangible fraud risks- Organizational response: While improvements were implemented during the investigation, this came after years of inadequate practices

The split between Free Mobile (€27 million) and Free (€15 million) reflects both the relative subscriber numbers affected and Free Mobile’s additional data retention violations.

Lessons for Every Organization: Avoiding the Free Mobile Fate

The Free Mobile enforcement action provides a practical compliance blueprint. Organizations should examine their own practices against these failures.

Lesson 1: VPN Security Is Non-Negotiable

Remote work has made VPN security a critical control point. Organizations must ensure:

Multi-Factor Authentication

Every VPN connection should require at least two authentication factors. Options include:

  • Hardware security keys (FIDO2/WebAuthn)- Mobile authenticator apps (time-based one-time passwords)- Push notifications to registered devices- Certificate-based authentication

Single-factor VPN authentication in 2026 is indefensible before any regulator.

Conditional Access Policies

Modern zero-trust architectures go beyond simple authentication:

  • Device health verification before connection- Geolocation and impossible travel detection- Time-of-day access restrictions- Session duration limits

Continuous Monitoring

VPN connections should generate rich telemetry for security analysis:

  • Baseline normal connection patterns per user- Alert on unusual connection times or durations- Flag connections from new geographic locations- Monitor data transfer volumes per session

Lesson 2: Detection Must Actually Detect

Free’s inability to identify data exfiltration over two weeks reflects a common gap between security investment and security effectiveness.

Data Loss Prevention (DLP)

Organizations should implement DLP controls that can identify:

  • Bulk data extraction from sensitive systems- Unusual query patterns in databases- Large file transfers to unexpected destinations- Access to data outside normal job functions

User and Entity Behavior Analytics (UEBA)

Modern security requires behavioral baselines:

  • What systems does each user typically access?- What volume of data do they normally process?- What times do they typically work?- Deviations from these patterns should trigger investigation.

Security Operations Center (SOC) Effectiveness

Having a SOC isn’t enough—it must be effective:

  • Regular purple team exercises to test detection capabilities- Metrics on mean time to detect (MTTD) and mean time to respond (MTTR)- Coverage mapping against MITRE ATT&CK framework- Regular tuning of detection rules to reduce false positives while catching real threats

Lesson 3: Build a Real Data Retention Program

Free Mobile’s data hoarding violation highlights that data retention isn’t optional—it’s a core GDPR requirement under the storage limitation principle.

Develop Retention Schedules

Every data category should have a defined retention period:

  • Customer data during active relationship: retained- Customer data post-contract termination: limited retention for accounting/legal purposes- Former customer data beyond retention period: deleted

Implement Technical Controls

Retention policies without enforcement are meaningless:

  • Automated deletion workflows triggered by retention period expiration- Data classification to identify what retention rules apply- Audit trails proving deletion occurred as scheduled- Quarterly validation that deletion processes function correctly

Manage Stakeholder Conflicts

Different business units will argue for extended retention:

  • Finance wants years of records for audits- Marketing wants historical data for analytics- AI teams want training data

A governance process must adjudicate these conflicts, with clear documentation of retention decisions and their justifications.

Lesson 4: Breach Notifications Must Be Meaningful

CNIL’s criticism of Free’s notifications emphasizes that breach communications must serve their protective purpose.

Content Requirements

Effective breach notifications should include:

  • Clear explanation of what data was compromised- Specific risks those data types create (e.g., “Your IBAN was exposed, which could be used for unauthorized direct debits”)- Concrete protective steps individuals can take- Timeline of events and company response- Contact information for questions

Avoid Legal Jargon

Notifications written by lawyers for lawyers fail affected individuals. Communications should:

  • Use plain language- Lead with what matters to the reader- Provide actionable guidance- Express genuine concern rather than defensive positioning

Test Your Process

Before a breach occurs:

  • Draft template notifications for various scenarios- Have non-experts review for clarity- Establish translation capabilities for non-native speakers- Set up communication channels (websites, call centers) in advance

The Free Mobile decision reflects broader enforcement trends that organizations should anticipate.

Regulators Are Getting Tougher

CNIL’s €42 million penalty joins a growing list of significant GDPR fines:

  • Meta: Multiple billion-euro penalties across EU jurisdictions- Amazon: €746 million (Luxembourg)- Google: Multiple hundred-million-euro fines

What distinguishes the Free Mobile case is that it involves relatively straightforward security failures—not complex legal questions about consent or data transfers. Regulators are signaling that basic security hygiene failures will face substantial penalties.

Breach-Driven Enforcement

The 2,500+ complaints that triggered CNIL’s investigation demonstrate that regulators respond to public pressure. Organizations suffering breaches should expect regulatory scrutiny proportional to:

  • Number of affected individuals- Sensitivity of compromised data- Public and media attention- Complaint volume

Cross-Border Coordination

While this case involved a French company regulated by the French authority, GDPR’s one-stop-shop mechanism means similar enforcement patterns will emerge across Europe. Organizations operating across multiple EU member states should expect consistent enforcement approaches.

The Attacker’s Perspective: Why Basic Failures Get Exploited

Understanding why threat actors target fundamental weaknesses helps explain the urgency of addressing them.

Path of Least Resistance

Sophisticated attacks exploiting zero-day vulnerabilities make headlines, but most successful breaches exploit basic weaknesses:

  • Weak or stolen credentials- Unpatched known vulnerabilities- Misconfigured access controls- Inadequate network segmentation

Attackers prefer low-effort, high-reward techniques. Organizations with poor VPN authentication present easy targets compared to those requiring sophisticated attack chains.

The Economics of Attack

Every additional security control increases attacker cost:

  • MFA requires credential theft plus device compromise- Network segmentation limits lateral movement- Detection capabilities force faster operations- Data minimization reduces payoff

When organizations neglect basics, they become economically attractive targets.

Iliad’s Response and the Appeal

Iliad Group, parent of Free and Free Mobile, has announced plans to appeal CNIL’s decision to France’s Supreme Administrative Court (Conseil d’État). Their statement suggested disagreement with the penalty amount and regulatory conclusions.

Organizations should note that appealing regulatory decisions is common but rarely results in complete reversal. More typically:

  • Fines may be reduced modestly- Core findings usually stand- The appeals process creates additional negative publicity- Compliance remediation proceeds regardless of appeal outcome

CNIL has also ordered both companies to complete security improvements within three months and required Free Mobile to finish data purging within six months—deadlines that likely proceed regardless of appeal.

Action Items: Your 90-Day Compliance Sprint

Based on the Free Mobile case, organizations should prioritize:

Immediate (Week 1-2)

  1. Audit VPN authentication: Confirm MFA is required for all remote access2. Review detection capabilities: Can your SOC identify bulk data exfiltration?3. Inventory sensitive data: Where are IBANs, financial data, and similarly sensitive information stored?

Short-Term (Month 1-2)

  1. Implement enhanced monitoring: Deploy or tune UEBA for abnormal access patterns2. Document retention policies: Create or update retention schedules for all data categories3. Test breach notification: Conduct tabletop exercise including notification drafting

Medium-Term (Month 2-3)

  1. Begin data purging: Identify and delete data beyond retention periods2. Validate architecture: Review whether system designs expose broader data than necessary3. Board reporting: Brief leadership on GDPR enforcement trends and organizational risk posture

Conclusion: The Cost of Neglecting Fundamentals

Free Mobile’s €42 million penalty represents more than a regulatory fine—it’s a quantification of what basic security failures cost in 2026. The violations CNIL identified weren’t sophisticated or novel:

  • VPN authentication that wasn’t robust enough- Detection systems that couldn’t detect- Data retained longer than necessary- Breach notifications that didn’t communicate

These are failures that appear, in some form, in organizations worldwide. The Free Mobile case converts theoretical GDPR risk into concrete financial consequence.

For compliance professionals, the message is clear: regulatory enforcement has matured. The grace period during which organizations could claim ignorance of GDPR requirements has ended. Basic security hygiene, meaningful data minimization, and effective breach response are no longer aspirational—they’re mandatory.

The €42 million question for every organization is simple: Would your controls withstand the same regulatory scrutiny? If the answer is uncertain, the time to address that uncertainty is now—before an attacker and regulator provide the answer for you.

For more GDPR enforcement analysis and practical compliance guidance, subscribe to Compliance Hub’s weekly regulatory intelligence briefing.