Free SAS

On October 17, 2024, Free SAS experienced a data breach affecting 13.9 million records. The compromised data was subsequently offered for sale and later made public.

The exposed information includes names, physical addresses, phone numbers, genders, and dates of birth. For many records, bank account numbers (IBANs) were also compromised. Free stated that these bank account numbers are not sufficient to initiate direct debits.

This exposure of personal information, including names, addresses, and phone numbers, increases the risk of targeted phishing attempts and other social engineering attacks. The inclusion of dates of birth and genders can be used to build more convincing fraudulent communications. While Free indicated that the exposed bank account numbers are not directly usable for unauthorized debits, their presence alongside other personal data could still be leveraged in more sophisticated fraud schemes.

Change passwords for your Free.fr account and any other online accounts where you used the same or similar credentials. Enable two-factor authentication (2FA) wherever available to add an extra layer of security.

Monitor your bank accounts and credit reports for any suspicious activity. Even though Free stated that the exposed bank account numbers are not sufficient for direct debits, it is prudent to remain vigilant for any unauthorized transactions or new accounts opened in your name. Report any unusual activity to your bank immediately.

Be cautious of unsolicited communications, especially those claiming to be from Free or other financial institutions. Phishing attempts may use the exposed personal information to appear more legitimate. Do not click on suspicious links or download attachments from unknown senders. Verify the authenticity of any urgent requests for personal or financial information through official channels, not by responding directly to the communication.

The French Data Protection Authority (CNIL) has issued multiple fines against Free SAS. On January 8, 2026, CNIL imposed two fines totaling EUR 42.0 million (EUR 27.0 million and EUR 15.0 million) for insufficient technical and organizational measures to ensure information security, citing violations of GDPR Articles 5(1)e, 32, and 34. Additionally, CNIL issued fines of EUR 300,000 on December 8, 2022, and EUR 300,000 on December 28, 2021, for insufficient fulfillment of data subjects' rights under GDPR Articles 12, 15, 17, 21, 25, 32, and 33.