Free has reported that hackers breached its systems over the weekend, resulting in the theft of customer data. The French internet service provider (ISP) added that it had informed both the National Agency for the Security of Information Systems (ANSSI) and the National Commission for Information Technology and Civil Liberties (CNIL) of the cyberattack. A subsidiary of the Iliad Group, Free currently ranks as France’s second-largest ISP, boasting over 22.9 million mobile and fixed-line subscribers.
A Free spokesperson told BleepingComputer that all affected subscribers have either been informed or will be notified by email. The spokesperson added that “no operational impact was observed on our activities and services” and that “all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems.”
Extent of the data compromised
The breach involved an attack on a management tool, exposing data on 19.2m customers and 5.11m IBAN numbers. The stolen data is now listed for sale on the online platform BreachForums, with the individual claiming responsibility – known by the hacking nom-de-guerre ‘drussellx’ – alleging that the haul impacts one-third of the French population, including all subscribers to Free’s Free Mobile and Freebox services. To support these claims, the threat actor has shared sample data, including database headers and an archive file, as evidence of the data’s authenticity. Potential buyers have also been offered the option to conduct searches within the stolen database.
For its part, Free was keen to emphasise that the attackers did not gain access to customer passwords, bank card details, or any communication content, such as emails, SMS, or voice messages. The ISP additionally claimed that only certain fixed-line subscribers’ IBANs were exposed in the breach, and that this information alone would not permit a direct debit transaction from their bank accounts.
Even so, Free advised its subscribers to remain alert to any unauthorised transactions and possible phishing attempts. Under French banking regulations, banks are required to refund customers for any fraudulent direct debits reported within 13 months of the transaction. The company also recommended that customers avoid sharing any access codes or banking details via email, SMS, or phone calls.
Read more: Cisco probes alleged data breach after hacker claims sale of information
