Free, a major internet service provider (ISP) in France, confirmed over the weekend that its systems were breached, leading to the theft of customer personal information.
The company, which reported over 22.9 million mobile and fixed subscribers as of June, is France’s second-largest telecommunications provider and a subsidiary of the Iliad Group, Europe’s sixth-largest mobile operator by subscriber count.
Following the incident, Free filed a criminal complaint with the public prosecutor and notified both the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
“Affected subscribers have been or will be notified via email shortly,” a Free spokesperson told BleepingComputer, adding that “no operational impact was observed on our activities and services” and that “all necessary measures were taken immediately to stop this attack and enhance our information system security.”
The attack specifically targeted a management tool, compromising subscriber data. However, the attackers failed to access passwords, bank card information, or communication content (including emails, SMS, and voice messages).
The stolen data has now surfaced on BreachForums, where the threat actor, known as “drussellx,” claims that the breach affects nearly a third of France’s population.
Allegedly stolen data up for sale (BleepingComputer)
“The breach impacts 19.2 million customers and includes over 5.11 million IBAN numbers. All Free Mobile and Freebox customers are affected, with IBANs for 5.11 million Freebox subscribers included,” the threat actor alleged.
To substantiate these claims, they provided an archive containing samples of the stolen data, screenshots, and database headers as evidence of the auctioned data’s legitimacy.
Additionally, the threat actor offered potential buyers the chance to search the stolen database, asserting that “the entire recovered database” is available for sale.
Regarding the compromised IBANs (International Bank Account Numbers), Free stated that only certain fixed subscribers’ IBANs were accessed and clarified that these details alone are insufficient to authorize a direct debit.
“If subscribers notice any unexpected direct debit not linked to a known invoice, they have 13 months to report it for a bank reimbursement,” Free advised.
“We also urge subscribers to stay vigilant against phishing attempts. Never disclose your access codes or bank card details by email, SMS, or during a phone call.”
A Free spokesperson has yet to confirm the detection timeline of the incident or the number of impacted customers, despite requests from BleepingComputer for additional information.
Source: BleepingComputer, Sergiu Gatlan
