Free S.A.S., the second-largest French internet service provider and mobile network operator, suffered a data breach on October 17, 2024 when threat actors gained unauthorized access to an internal management tool and exfiltrated subscriber data covering both Free Mobile mobile carrier customers and Freebox residential broadband subscribers. Free publicly confirmed the breach on October 26, 2024 after a threat actor using the alias 'drussellx' listed two databases for sale on BreachForums, with the seller offering the dataset for auction at approximately $175,000 and subsequently making extortion-style threats including the threatened public release of '100,000 lines of French IBANs from Free customers' if Free did not intervene in the auction. A separate threat actor using the alias 'YuroSh' subsequently claimed to have been the actual hacker (with drussellx serving as the seller), with YuroSh describing his motivation as hacktivist rather than financially motivated. Free filed a criminal complaint and notified CNIL and ANSSI.

The breach affected approximately 13.9 million unique customer records based on records indexed by Have I Been Pwned (with the original threat actor's auction listing claiming 19.2 million customer accounts and 5.11 million IBAN records, and the subsequent CNIL investigation referencing 24 million subscribers as the regulatory population). The total exfiltrated dataset was approximately 43.6 gigabytes in JSON format. Compromised fields included full names, phone numbers, postal addresses, dates of birth, gender, email addresses, Free Mobile user IDs and login identifiers, service offer details, account statuses, and mobile numbers. For Freebox residential broadband subscribers specifically, the dataset additionally included IBAN bank account numbers, Freebox identifiers, service activation dates, and BIC banking identifiers. Free publicly emphasized that no passwords, bank card details, email contents, SMS contents, or voicemail contents were exposed in the breach, and that the IBAN exposure alone was 'not enough to make a direct debit from a bank.'

For affected customers, the practical risk profile is significant due to the combination of complete identity-profile exposure with French banking-identifier data for the Freebox subset. The IBAN exposure does not by itself enable direct debit fraud (because direct debit authorization in France requires additional steps beyond the IBAN), but the combination of full name, address, date of birth, and IBAN supports phishing attacks that can plausibly impersonate Free's billing function and request authorization for fraudulent direct debits. Affected Freebox subscribers should review their bank statements monthly for any unauthorized direct debit attempts, and should treat any communication purporting to be from Free or from their bank requesting direct-debit authorization with elevated caution. Affected mobile subscribers face elevated SIM-swap risk because the dataset includes mobile numbers tied to subscriber identity. Affected customers should change passwords on Free Mobile and Freebox accounts, enable two-factor authentication where available, monitor financial accounts for suspicious activity, and remain alert to phishing emails and SMS messages referencing real Free subscription details. Affected French citizens may file complaints with CNIL, which has retained an active enforcement posture on this case.

French telecom and ISP serving broadband and mobile customers through account-based communications services. The likely data context includes subscriber records, contact details, service-account information, billing or support-linked records, and data tied to telecom service use.

Free is now the subject of one of France's largest GDPR enforcement actions following the October 2024 breach. In January 2026, France's data protection authority CNIL imposed total fines of approximately €42 million ($48 million) on Iliad Group subsidiaries — €27 million ($31 million) on Free SAS and €15 million ($17 million) on Free Mobile — for GDPR violations identified during the post-breach investigation. CNIL's enforcement findings included inadequate authentication procedures for VPN connections to internal systems and lack of effective measures for detecting unusual activity on Free's information systems. CNIL's press release cited the sensitivity of the breached data, the companies' large profits, and a 'lack of knowledge of essential security principles.' A Groupe Iliad spokesperson characterized the sanctions as 'completely disproportionate' and announced that the companies will appeal to France's Supreme Administrative Court, while emphasizing that Iliad has 'reinforced our security architecture, strengthened our access controls, and put in place enhanced real-time surveillance' since October 2024.