Free, one of France's leading internet service providers (ISPs) and a subsidiary of the Iliad Group, has confirmed a data breach following reports that hackers accessed and leaked sensitive customer information. The breach, initially flagged after data surfaced on a dark web marketplace, exposed the personal information of some of Free’s 22.9 million mobile and fixed broadband customers.
The ISP reported the incident after the hacker, who goes by the alias ‘drussellx,’ offered two databases for sale on the cybercrime forum BreachForums. The leaked data reportedly includes the names, phone numbers, email and postal addresses, and birthdates of affected customers.
The hacker claims that over 19 million customer accounts were compromised, along with the IBAN details of five million customers. According to drussellx, the exfiltration occurred on October 17, and the stolen information could affect nearly a third of France’s population if fully validated.
Free clarified that certain sensitive data types, such as customer passwords, bank card information, and communications (emails, SMS, and voice messages), were not accessed during the breach. The company also said that its core services remain unaffected.
In response to the breach, Free filed a criminal complaint with the French public prosecutor and informed both the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
