France’s data protection regulator has fined a French telecom giant $42 million for cybersecurity vulnerabilities that contributed to a massive data breach.

In October 2024, a hacker penetrated the information systems at France’s Free SAS and sister company Free Mobile, accessing personal data, including international bank account numbers, for 24 million subscribers. 

Free SAS is a major telecommunications provider and Free Mobile is a mobile network operator. Both are subsidiaries of France’s Groupe Iliad.

The data protection regulator, known as CNIL, launched an investigation in the wake of the breach and found violations of Europe’s General Data Protection Regulation (GDPR).

Free was fined €27 million ($31 million) and Free SAS €15 million ($17 million), CNIL said Wednesday.

A spokesperson for Groupe Iliad did not immediately respond to a request for comment.

The fine amounts were influenced by the sensitivity of the hacked data and the companies’ large profits and “lack of knowledge of essential security principles,” according to a CNIL press release.

The companies lacked adequate security measures, including by offering a weak authentication procedure for connecting to their VPNs and no effective measures for detecting unusual activity on their information systems, CNIL said.

The companies violated GDPR breach notification requirements by not offering impacted customers enough information to “directly understand the consequences of the breach, nor the measures they could take to protect themselves from them.”

Free Mobile also retained former subscribers' data, unnecessarily putting it at risk, CNIL alleged.

Since the start of the probe, they have taken steps to improve their security, the agency said, and are ordered to continue to do so.