Summary:
French internet service provider Free has publicly disclosed a significant cyber attack that has compromised certain personal information of its customers. As the second-largest ISP in France, with over 22.9 million mobile and fixed subscribers, Free plays a crucial role in the country's telecommunications landscape. The attack came to light over the weekend when threat actors attempted to sell stolen data on a prominent cybercrime forum, raising concerns about the security of customer information.

According to Free S.A.S., the parent company of Free, the breach involved unauthorized access to its internal management tool, which allowed the attackers to access personal data associated with some subscriber accounts. In a statement to Agence France-Presse (AFP), Free confirmed, "We were the victim of a cyberattack targeting a management tool," which resulted in "unauthorized access to some of the personal data associated with the accounts of certain subscribers." Importantly, the company emphasized that the breach did not compromise any passwords, bank card details, or the content of communications such as emails, SMS, or voice messages.

The specific details regarding the date and extent of the attack have not been disclosed, but the threat actors allegedly listed two databases for sale. One database reportedly contains information on nearly 19,192,948 customer accounts, while the other includes sensitive banking information, with 5.11 million IBAN details exposed. Alongside the data listings, the seller shared samples of the stolen information and accompanying screenshots, which included critical personal data such as first and last names, phone numbers, full postal addresses, dates of birth, and email addresses.

The breach is believed to have affected both Free Mobile and Freebox customers, with indications that the data leak dates back to October 17, 2024. Cybersecurity expert SaxX noted the alarming trend of cybercriminals creating profiles shortly before disclosing information about hacks or data leaks in France, suggesting that the authenticity of this incident should be approached with caution. The rise in AI-generated data leaks further complicates the verification of such claims.

Security Officer Comments:
In response to the attack, Free has filed a criminal complaint and reported the incident to French regulatory authorities, including the National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI). The company assured its customers that immediate measures were taken to mitigate the security breach and reinforce the protection of its information systems. "All necessary measures have been taken immediately to put an end to this attack and strengthen the protection of our information systems," Free stated.

Suggested Corrections:
No operational impact has been observed on Free's activities or services, the incident raises significant concerns about cybersecurity within the telecommunications sector, especially following recent reports of similar breaches affecting other telecom operators, such as SFR. As the landscape of cyber threats continues to evolve, the importance of robust security measures and customer awareness remains paramount.

Link(s):
https://securityaffairs.com/170333/data-breach/free-suffered-a-cyber-attack.html