Overview
- The CNIL’s sanctions, adopted on January 8 and published January 14 in the Journal officiel, require technical and organizational fixes within three months.
- The October 2024 intrusion exposed data tied to more than 24 million contracts, including identity, contact and contractual details, with some customers’ IBANs also taken.
- Inspectors found data from over 15 million terminated contracts older than five years, including 3 million older than ten years, which the CNIL deemed manifestly excessive under GDPR.
- Free said the decision shows unprecedented severity, reported that its security architecture has been reinforced, and plans to appeal to the Conseil d'État.
- The regulator logged more than 2,000 complaints from affected individuals, and a 16-year-old suspect was placed under formal investigation in January 2025.