Full Report
A data breach involving Free was reported in January 2026. See incident details, impact on customers, and recommended security measures.
Analysis Summary
# Incident Report: Free Mobile Management Tool Compromise
## Executive Summary
Free (free.fr) experienced a critical data breach, publicly reported on January 13, 2026, attributed to the threat actor "drussellx." The breach involved unauthorized access to the company's management tool, leading to the exfiltration of data belonging to nearly 23 million subscribers, including IBANs for 25% of affected users. The incident resulted in a massive GDPR violation fine from the French data protection authority (CNIL) due to severe security and data retention failures.
## Incident Details
- Discovery Date: Not explicitly stated, but publicly reported on January 13, 2026.
- Incident Date: The primary compromise likely occurred in **October 2024**, though regulatory action and reporting occurred in January 2026.
- Affected Organization: Free (free.fr)
- Sector: Telecommunications
- Geography: France
## Timeline of Events
### Initial Access
- Date/Time: Occurred possibly as early as **October 2024**.
- Vector: Unauthorized access to the company's **management tool**.
- Details: The specific vulnerability exploited is not detailed, but the access allowed the attacker to penetrate internal systems.
### Lateral Movement
- Details: Attackers leveraged initial access to the management tool to navigate internal systems and identify target data for exfiltration.
### Data Exfiltration/Impact
- Details: Sensitive information belonging to nearly **23 million subscribers** was exfiltrated. This included **IBANs for approximately 25%** of those affected.
### Detection & Response
- Details: The incident came to broader public attention through regulatory action by CNIL on **January 13, 2026**. The regulatory investigation highlighted "critical failures in data security, inadequate breach notifications, and excessive data retention practices." Response actions included securing management systems and facing regulatory penalties.
## Attack Methodology
- Initial Access: Compromise of internal **management tools**.
- Persistence: Not detailed, likely maintained via compromised credentials or backdoors in the management system.
- Privilege Escalation: Not detailed, but necessary to gain access to subscriber data records within the management tools.
- Defense Evasion: Not detailed, but the breach went undetected for a significant period (from Oct 2024 to Jan 2026 reporting).
- Credential Access: Not detailed.
- Discovery: Attackers likely performed internal reconnaissance to map the database structure containing subscriber records.
- Lateral Movement: Movement within the internal environment facilitated by access to the management tool.
- Collection: Gathering personal identifiable information (PII) and financial data (IBANs).
- Exfiltration: Stolen through unauthorized access to the management infrastructure.
- Impact: Massive data loss leading to regulatory fines and consumer risk.
## Impact Assessment
- Financial: Significant regulatory fine issued by CNIL (described as "massive"). Unspecified costs related to remediation and breach response.
- Data Breach: Nearly **23 million subscriber records** compromised. **IBANs exposed for ~5.75 million users**.
- Operational: Implied operational stress due to CNIL investigation and mandated security overhauls.
- Reputational: Severe reputational damage resulting from the scale of the data loss and subsequent regulatory action.
## Indicators of Compromise
*Note: Specific IOCs (IPs, hashes) were not provided in the summary, but behavioral indicators are focused on the threat actor.*
- Network indicators: Attributions linked to threat actor **drussellx**.
- File indicators: N/A.
- Behavioral indicators: Unauthorized access and high-volume data extraction from sensitive management tools.
## Response Actions
- Containment: The article implies management systems were secured following discovery/regulatory action.
- Eradication: Implied internal audit and remediation of security vulnerabilities within the compromised management tools.
- Recovery actions: Required by CNIL, likely involving heightened security controls, improving breach notification processes, and auditing data retention policies.
## Lessons Learned
- Critical infrastructure should not rely on aging or insufficiently secured management tools that hold high volumes of customer PII/Financial data.
- Data retention policies must be strictly adhered to; excessive retention increases the potential impact of a breach.
- Breach notification procedures must be timely and adequate to meet regulatory requirements (CNIL's investigation highlighted inadequate notifications).
## Recommendations
- Immediately conduct a comprehensive security audit of all internal management and administrative tools, focusing on access controls and least privilege principles.
- Implement strict data retention policies to minimize the amount of sensitive customer data (especially IBANs) stored long-term.
- Enhance monitoring capabilities around management tool access to detect unauthorized reconnaissance or bulk data retrieval.
- Implement multi-factor authentication (MFA) across all management interfaces.