Free SAS

In October 2024, a data breach at Free SAS exposed the personal information of 13.9 million people. The exposed data included names, physical addresses, phone numbers, genders, and dates of birth. For many records, bank account numbers (IBANs) were also exposed. Free SAS has publicly acknowledged this incident, stating that the exposed bank account numbers were "not enough to make a direct debit from a bank."

This exposure means that a significant amount of personal and financial information is now accessible to unauthorized parties.

The data breach occurred in October 2024. The incident was disclosed on May 27, 2025. The specific cause of the breach was not detailed in the provided information.

Given the exposure of names, addresses, phone numbers, dates of birth, and bank account numbers, you should be vigilant about potential fraud. While Free SAS stated that the bank account numbers are not sufficient for direct debits, this information combined with other exposed data could be used for targeted phishing attempts or identity theft. Monitor your bank statements and other financial accounts for any suspicious activity. Be cautious of unexpected calls, emails, or messages asking for personal information, even if they appear to be from Free SAS or your bank. Consider placing a fraud alert on your credit file to help prevent new accounts from being opened in your name.

The French Data Protection Authority (CNIL) issued two fines totaling EUR 42.0 million to Free SAS on January 8, 2026. These fines were for insufficient technical and organizational measures to ensure information security, violating Articles 5 (1) e) and 32 of the GDPR, and Article 34 of the GDPR. Additionally, CNIL previously fined Free SAS EUR 300,000 on December 8, 2022, and EUR 300,000 on December 28, 2021, for insufficient fulfillment of data subjects' rights.