France’s leading internet service provider, Free, disclosed on the weekend that it had fallen victim to a cyberattack, resulting in unauthorized access to customers’ sensitive personal information being compromised.
The corporation, boasting over 22.9 million cellular and fixed subscribers at year-end, ranks as France’s second-largest telecommunications company and a subsidiary of the Iliad Group – the European continent’s sixth-largest mobile operator in terms of subscriber base.
Following the breach, Free filed a formal complaint with the public prosecutor’s office and alerted both the National Commission on Informatics and Liberty (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
A Free spokesperson told BleepingComputer that affected subscribers will be notified via email shortly, assuring that “no operational impact was observed on our services and operations” and “all necessary measures were taken immediately to put an end to this attack and fortify the security of our data systems.”
The company revealed that the breach targeted an administrative tool that compromised users’ personal data. Despite the attack, hackers failed to access buyers’ sensitive information, including passwords, financial data, and communication contents – encompassing emails, SMS, voice messages, and more.
Stolen data from the recent assault is currently being sold at auction on BreachForums to the highest bidder, with the perpetrator, known as “drussellx,” claiming that the breach affects nearly one-third of France’s population.
The breach affects a staggering 19.2 million customers, compromising more than 5.11 million International Bank Account Numbers (IBAN). The cyberattack affects all Free Cell and Freebox clients, compromising the International Bank Account Numbers (IBANs) of approximately 5.1 million subscribers.
The parties provided an archival package comprising a range of documentation purportedly substantiating the authenticity of the data being put up for sale: namely, a collection of supposedly pilfered information, screenshot evidence, and database header records.
The alleged perpetrator claimed to be willing to provide potential buyers with unrestricted access to the stolen database, boasting that “the entirety of your recovered database” would be made available for verification.
According to Free, the perpetrators likely target specific fixed subscribers’ IBANs, but these numbers alone are insufficient to facilitate a direct bank transfer.
Subscribers who unexpectedly encounter a one-time direct debit that doesn’t match a familiar payment schedule or amount will be entitled to a full reimbursement from their bank, should they report the discrepancy in a timely manner. Free said they have 13 months to report the fraudulent direct debit.
“We also urge them to remain vigilant against suspicious and potentially malicious phishing attempts.” Never disclose your entry codes or financial institution cards, regardless of whether it’s via email, SMS, or over the phone.
When asked for further information on the timing of the incident’s detection and the number of customers affected, a spokesperson for A Free declined to provide additional details, responding to BleepingComputer’s inquiry today with only a brief statement.
