French ISP Free Fined €42 Million: When Your Internet Provider Becomes Your Biggest Privacy Risk

Your internet provider knows everything about you. Your name, address, phone number, payment details, browsing habits. You trust them to keep that data safe.

French ISP Free just proved that trust can be misplaced.

The French privacy authority CNIL has fined Free and its mobile division Free Mobile a combined €42 million after a data breach in late 2024 exposed the personal information of millions of customers—including over 5 million bank account numbers.

Here's what happened, what went wrong, and what this means for your privacy.

What Was Stolen

The breach exposed an alarming amount of personal data:

The IBAN exposure is particularly concerning. With a name, address, and IBAN, criminals can attempt fraudulent SEPA direct debits, potentially draining bank accounts before victims even notice.

How It Happened: The VPN Failure

CNIL's investigation revealed that Free had failed to implement basic security measures. The most damning finding? The VPN authentication was inadequate.

Yes, you read that right. An internet service provider—a company that literally provides internet access—had weak VPN security for its own employees.

The Technical Failures

CNIL specifically criticized:

1. Weak VPN authentication — The login procedure for employees connecting remotely was "insufficiently robust." This likely means weak passwords, no multi-factor authentication, or easily bypassed security controls.
2. Ineffective anomaly detection — Free had measures in place to detect unusual network activity, but they didn't work. The breach went undetected until significant damage was done.
3. Inadequate data protection — Given the volume and sensitivity of the personal data Free processes, CNIL found their security measures insufficient.

In other words: an attacker compromised an employee's VPN access, got into Free's network, and extracted millions of customer records—all while Free's security systems failed to notice.

The Notification Failure

Under GDPR, companies must notify affected individuals about data breaches. But it's not enough to just send an email—you need to provide specific information so people can protect themselves.

Free's breach notification failed this test. According to CNIL:

"The notification email did not contain all necessary information, preventing victims from understanding the consequences of the breach or taking measures to protect themselves."

This is a common pattern in data breaches. Companies send vague notifications that say "some of your data may have been accessed" without explaining:

• Exactly what data was stolen
• What risks this creates
• What specific steps to take
• How to monitor for fraud

Victims are left in the dark, unable to take appropriate precautions.

The Data Retention Problem

CNIL also found that Free and Free Mobile were keeping customer data longer than necessary. Under GDPR's data minimization principle, companies should only retain personal data for as long as it's needed for the original purpose.

Free must now:

• Complete security improvements within 3 months
• Delete all unnecessarily retained subscriber data within 6 months

This raises an important question: how much of your data is sitting on servers, long after it should have been deleted?

The €42 Million Fine Breakdown

For context, GDPR fines can reach up to 4% of global annual revenue. This €42 million fine, while substantial, represents just a fraction of what CNIL could have imposed.

Why Your ISP Is a Privacy Risk

This breach highlights a fundamental truth: your ISP is one of your biggest privacy vulnerabilities.

Think about what your ISP knows:

• Your identity — Name, address, ID documents (for contract verification)
• Your payment details — Bank account, credit card, billing history
• Your browsing history — Every website you visit (unless using a VPN)
• Your location — Service address, and potentially mobile location data
• Your devices — MAC addresses, connected devices
• Your usage patterns — When you're home, when you're online

When an ISP gets breached, all of this becomes available to attackers. And unlike a social media breach where you can change your password, you can't change your home address or date of birth.

How Can You Protect Yourself?

1. Use a VPN

A VPN encrypts your internet traffic, preventing your ISP from seeing which websites you visit. Even if your ISP gets breached, attackers won't have access to your browsing history.

2. Monitor Your Bank Accounts

If your IBAN was exposed (like Free's 5+ million customers), set up:

• Transaction alerts for any debit
• Daily balance notifications
• Direct debit authorization controls

Many banks allow you to whitelist authorized direct debit originators. Any unexpected debit request will be blocked.

3. Enable Multi-Factor Authentication Everywhere

With your email and phone number exposed, attackers may try to access your other accounts. Enable MFA on:

• Email accounts
• Banking apps
• Social media
• Any account with sensitive data

4. Watch for Phishing

Breach data is often used for targeted phishing. Attackers can craft convincing emails like:

The use of real personal details makes these scams much more convincing. Be skeptical of any unexpected communication, even if it contains accurate information about you.

5. Consider Identity Monitoring

With name, address, date of birth, and IBAN exposed, identity theft is a real risk. Consider:

• Credit monitoring services
• Dark web monitoring for your email/IBAN
• Fraud alerts with credit bureaus

The Bigger Picture: ISP Security in Europe

Free isn't the first ISP to face GDPR enforcement. This breach comes amid increasing scrutiny of how telecom companies handle customer data.

Recent European ISP/telecom issues include:

• Italy: Cloudflare fined €14M for refusing to censor DNS (we covered this last week)
• Spain: LaLiga forcing ISPs to block Cloudflare IPs, breaking thousands of legitimate sites
• Germany: Multiple telecom breaches under investigation

The pattern is clear: ISPs and telecom companies are both targets for hackers and tools for government overreach. Either way, your data is at risk.

What This Means for You

The Free breach is a reminder that privacy isn't just about what you share online. The companies that provide your basic internet access hold massive amounts of sensitive data, and they don't always protect it adequately.

Key takeaways:

1. Minimize data shared with your ISP — Only provide what's legally required
2. Use a VPN — Encrypt your traffic so your ISP sees less
3. Monitor your accounts — Especially if you're in a country with recent ISP breaches
4. Don't trust breach notifications — Do your own research on what was exposed
5. Exercise your GDPR rights — Request data deletion, access your records

Your ISP is supposed to connect you to the internet safely. When they fail at basic security, you pay the price.