Paris | France’s data protection regulator CNIL has imposed penalties totalling approximately ₹3,800 crore on telecom operators Free and Free Mobile, both part of the Iliad Group, for serious violations of the European Union’s General Data Protection Regulation (GDPR). The fines relate to a major cyberattack in October 2024 that compromised the personal and financial data of more than 2.4 crore customers.
According to the regulator, the breach affected both fixed-line and mobile subscribers and involved the exposure of highly sensitive information, including bank account identifiers such as IBAN numbers. The investigation concluded that the companies failed to implement basic cybersecurity safeguards, delayed notifying affected users about the breach, and retained customer data for periods exceeding what is legally permitted under European data protection laws.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
The inquiry found that the cyberattack began on September 28, 2024, but the companies became aware of the intrusion only on October 21, after the attacker contacted them directly. Although access was blocked the following day, a significant volume of data had already been extracted. The regulator cited this delay as evidence of inadequate monitoring systems and ineffective threat-detection mechanisms.
Investigators established that the attacker initially gained access through a virtual private network (VPN) used by employees for remote work. From there, the attacker accessed a subscriber management tool known as MOBO, which is used by Free Mobile. While the tool was associated with the mobile business, it allowed queries across databases linked to both Free and Free Mobile customers, substantially widening the scale of the data breach.
Data extraction reportedly began on October 6, 2024, ultimately affecting 2,46,33,469 customer contracts. These included around 1.94 crore Free Mobile accounts and approximately 51.7 lakh Free fixed-line contracts. At the time of the breach, Free Mobile had about 1.55 crore active customers, while Free had roughly 76 lakh. This disparity indicated that a significant volume of data belonging to former customers remained stored within company systems and was also compromised.
The regulator described this as a serious failure of data-retention practices. Its findings showed that the companies lacked effective systems to segregate and restrict former customers’ data strictly to accounting or legal requirements. No robust data-deletion or isolation mechanisms were in place at the time of the attack, allowing outdated and unnecessary records to remain accessible to unauthorised actors.
In its ruling, the regulator identified three major GDPR violations: failure to ensure adequate protection of personal data, failure to provide timely and complete information to affected individuals following the breach, and non-compliance with legal obligations related to data minimisation and retention. It also pointed out that authentication measures for VPN-based remote access were insufficient and that systems meant to detect suspicious activity did not operate effectively.
The regulator further criticised the initial notifications sent to customers, stating that the emails lacked essential details needed for users to understand the risks and take protective measures, particularly given the exposure of banking-related information.
While determining the penalty amount, the regulator considered the financial strength of the Iliad Group. In 2024, the group reported revenue of approximately ₹9 lakh crore and profits of around ₹3,300 crore. Of the total penalty, ₹1,350 crore was imposed on Free and ₹2,450 crore on Free Mobile.
The ruling highlights the increasingly strict regulatory stance in Europe on cybersecurity and data protection. The regulator emphasised that failures in what it termed “basic” security practices—such as remote access controls, network monitoring and disciplined data management—can have wide-ranging consequences for large consumer-facing telecom networks.
The companies have not yet issued any official statement on whether they plan to appeal the decision. However, the case adds to growing pressure on telecom and data-driven firms to strengthen cybersecurity frameworks, ensure transparent and timely disclosure of breaches, and strictly comply with data-retention requirements under European law.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
