Full Report
In October 2024, French ISP "Free" suffered a data breach which was subsequently posted for sale and later, leaked publicly. The data included 14M unique email addresses along with names, physical addresses, phone numbers, genders, dates of birth and for many records, IBAN bank account numbers. Free advised that the numbers were "not enough to make a direct debit from a bank".
Analysis Summary
# Incident Report: Free (French ISP) Data Breach (October 2024)
## Executive Summary
In October 2024, the French ISP "Free" suffered a significant data breach exposing the personal information of approximately 14 million users. The compromised data, which included names, addresses, emails, dates of birth, and in many cases, IBAN bank account numbers, was subsequently listed for sale and later publicly leaked. While Free downplayed the risk associated with the banking details, the scope of Personally Identifiable Information (PII) exposure necessitates immediate remedial action by affected customers.
## Incident Details
- **Discovery Date:** May 27, 2025 (Date data was added to HIBP—actual discovery date unknown)
- **Incident Date:** October 2024 (Breach occurred)
- **Affected Organization:** Free (French ISP)
- **Sector:** Telecommunications/Internet Services Provider (ISP)
- **Geography:** France
## Timeline of Events
### Initial Access
- **Date/Time:** October 2024 (Approximate)
- **Vector:** Not explicitly stated in the source, but implied through subsequent data exposure.
- **Details:** Attackers successfully compromised Free's systems, gaining access to customer databases.
### Lateral Movement
- *Details not specified in the source material.* Information suggests access to core customer records databases was achieved.
### Data Exfiltration/Impact
- **Impact:** Approximately 13.9 million unique records were compromised.
- **Data Stolen:** Email addresses, names, physical addresses, phone numbers, genders, dates of birth, and IBAN bank account numbers (for many records).
### Detection & Response
- **Detection:** The breach was eventually discovered when the data was posted for sale, and later leaked publicly. Customer notification was implied through advisory actions.
- **Response Actions:** External recommendations issued called for affected users to change their passwords (if not changed since 2024) and enable Two-Factor Authentication (2FA).
## Attack Methodology
The source does not provide granular technical details on the attack, but it implies a successful unauthorized access resulting in large-scale data harvesting.
- **Initial Access:** Unknown, but successful exploitation of a vulnerability or credential compromise leading to network/database access.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Potentially involved accessing databases containing hashed or weakly encrypted credentials.
- **Discovery:** Unknown, likely internal reconnaissance post-breach.
- **Lateral Movement:** Unknown.
- **Collection:** Bulk harvesting of multiple PII fields from customer databases.
- **Exfiltration:** Data packaged and released publicly/for sale on the dark web.
- **Impact:** Massive identity and financial data exposure (PII, partial banking details).
## Impact Assessment
- **Financial:** Not specified, but potential financial impact exists due to the exposure of IBAN numbers, exposing victims to potential unauthorized direct debits (though Free disputed this risk).
- **Data Breach:** Exposure of PII fields for approximately 14 million users, including **IBANs**.
- **Operational:** Not specified, but database extraction likely caused significant internal operational disruption to mitigate further fallout.
- **Reputational:** Significant reputational damage to Free, France’s second-largest ISP, for failing to secure sensitive customer data.
## Indicators of Compromise
*Note: No specific IP addresses, domains, or file hashes were provided in the summary.*
- **Network indicators:** None available.
- **File indicators:** None available.
- **Behavioral indicators:** Unauthorized bulk data extraction from customer databases.
## Response Actions
*The source primarily focused on customer recommendations rather than forensic response steps taken by Free.*
- **Containment:** Implied necessary steps to secure the compromised database/system post-discovery.
- **Eradication:** Implied removal of attacker access points.
- **Recovery:** Unknown (e.g., system rebuilds, credential resets, regulatory notifications).
## Lessons Learned
- **Data Minimization:** The incident highlights the risk of storing highly sensitive data (such as IBANs) long-term when basic PII would suffice for service delivery.
- **Incident Visibility:** The data was available for sale and leaked publicly before widespread customer awareness, suggesting delays in internal detection or disclosure processes.
## Recommendations
- **Immediate Credential Reset:** All Free users who have not changed their password since 2024 should do so immediately.
- **Mandatory 2FA Implementation:** Free should strongly encourage or mandate the adoption of Two-Factor Authentication (2FA) across all user accounts.
- **Financial Monitoring:** Users whose IBANs were exposed should utilize identity theft monitoring services and vigilantly review their bank statements for unauthorized debits.
- **Data Security Review:** Free must conduct a thorough review of their encryption, access controls, and retention policies for banking information.