AI Autopsy: How Free’s Data Breach Became a €42m Regulatory Reckoning

In late 2024, attackers gained access to the internal systems of Free, one of France’s largest telecoms groups, and spent weeks quietly rifling through subscriber data before anyone noticed. The investigation that followed reveals a familiar mix of weak access controls, slow detection, and long-retained data. It ultimately cost the company €42m (£36m) in regulatory fines.

What happened inside Free’s systems?

In January 2026, France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), fined Free Mobile €27m and parent company Free €15m for breaches of the GDPR. The fines were not issued for how attackers got in, but for what they were able to access once inside. And for how long have weaknesses in security, monitoring and data retention been left unaddressed?

The intrusion ran from September 28 to October 22 2024, according to CNIL. The regulator linked the entry point to employee VPN access and said the controls Free had in place did not reflect the sheer volume of personal data that could be accessed once inside the network.

“If your monitoring isn’t solid, exfiltration can look like business as usual” Oleksii Baranovskyi

CNIL didn’t share a full exploit chain in its write-up. But it’s clear that remote access controls were insufficient, with CNIL citing Free’s lack of mobile device authentication and multi-factor authentication (MFA) for employees. The incident was only discovered after the threat actor contacted Free on October 21 2024.

Once connected via the VPN, they could access internal applications and interact with subscriber data through an internal customer management tool called MOBO. CNIL noted that MOBO allowed personal data to be queried and displayed directly on screen. That means the attacker didn’t need to deploy malware or extract entire databases to access sensitive information.

In this way, they were able to access personal data linked to more than 24 million subscriber contracts across Free Mobile and Free. The exposed data included identity and contact details, contract information, and, for some unlucky customers, international bank account numbers (IBANs).

CNIL said the activity went unnoticed despite the volume of data being accessed and the length of time the attacker remained inside Free’s systems. Queries against subscriber records were considered part of day-to-day operational use and raised no alarms.

Why the fine was so high

By the time CNIL completed its investigation, it had logged 2614 complaints from affected customers. The regulator’s penalties are grounded in three interlinked failures. The first is technology-related. Under Article 32 of the GDPR, organisations must implement technical and organisational measures proportionate to the risks they face. For a telecoms provider handling tens of millions of customer records, Free’s remote access controls and security monitoring fell well short of that standard.

CNIL also took issue with how the breach was communicated to customers. It said the notifications were too thin on detail, giving customers little clarity on what data had been affected or what the breach might mean for them.

The most damaging finding, however, related to data retention. CNIL found that Free Mobile was “retaining millions of subscriber records for over 10 years without justification”. There was no effective system in place to sort or delete that data, leaving large volumes of outdated information accessible inside live systems at the time of the breach.

The regulator argued that this approach to data retention played a key part in the scale of the exposure, and ordered Free Mobile to bring its practices into line within six months.

When attackers move at machine speed

The case underlines how brittle traditional security models can be once attackers are inside the network. Oleksii Baranovskyi, chief cybersecurity researcher at Cracken, tells Assured Intelligence that the breach reflects a failure to adapt to the rapid pace of modern intrusions.

“It wasn’t so much about sophisticated attackers, but basic security failures and excessive data retention” Michael Vallas

“AI has made the attacker’s time-to-valid-access collapse,” he says. “If your VPN or identity layer is weak, AI-enabled phishing, credential stuffing and session replay turn it into a near-automated breach path, not a bespoke operation.”

Once access is established, attackers can use automation to rapidly map internal systems, identify high-value datasets and generate queries that blend into normal traffic, Baranovskyi explains. “So if your monitoring isn’t solid, exfiltration can look like business as usual,” he continues. “In that world, data minimisation and retention discipline aren’t just compliance hygiene; they’re breach-impact controls, because you can’t leak what you no longer store.”

Lessons for CISOs in a regulatory age

CNIL frames the breach as a consequence of long-standing security gaps rather than any significant innovation by a threat actor. That framing resonates with Michael Vallas, global field CTO at Goldilock Secure, who says the case should prompt CISOs to revisit fundamentals.

“One of the key issues in the Free case wasn’t so much about sophisticated attackers, but basic security failures and excessive data retention,” he tells Assured Intelligence. Vallas points out that a large share of the exposed data had been retained well beyond its original purpose, increasing the amount of information caught up in the breach. Addressing those problems after an incident, he says, is far more difficult than managing retention properly beforehand.

Vallas argues that organisations should go beyond simple retention schedules and rethink which historical datasets genuinely need to remain online and immediately accessible. By selectively moving older data offline or into more tightly controlled environments, CISOs can reduce the blast radius of inevitable failures, he claims.

Ronald Lewis, senior manager of security compliance and auditing at Black Duck, sees another familiar problem: temporary fixes that quietly become permanent. “There is no such thing as a ‘temporary technology solution’”, he tells Assured Intelligence. Lewis notes that emergency workarounds, whether for remote access or data handling, often outlive their original purpose and turn into long-term liabilities if they are not revisited and hardened.

He also points to data minimisation as a necessary counterweight to years of accumulation. Holding on to data for too long draws regulatory scrutiny and exacerbates breaches, he said, especially when communication with customers is slow or unclear. Getting information out early, he adds, can reduce the knock-on effects for people caught up in an incident.

When security monitoring fails

For Zbyněk Sopuch, CTO of Safetica, the case underscores the limits of traditional monitoring. He argues that traditional, rules-based detection often misses how attacks unfold in real systems. More adaptive analysis, including AI-based approaches, can surface unusual behaviour that would otherwise go unnoticed.

“AI can automate data expiry alerts within SIEM, flagging outdated subscriber information for purging” Zbyněk Sopuch

“Using AI in SIEM planning and execution allows the safe testing and handling of incoming data logs, automates password or key changes on a schedule, and spots and checks unusual data patterns – such as downloading large amounts of information,” Sopuch tells Assured Intelligence.

“AI can also automate data expiry alerts within SIEM, flagging outdated subscriber information for purging. But for any data purging, there should be a human in the loop to verify that the correct data is being removed.”

CNIL’s decision reflects a broader shift in how regulators assess incidents, focusing on how security controls, data handling, and response processes interact when something goes wrong. The message for CISOs is clear: avoidable weaknesses that widen the impact of breaches will not be tolerated.