Free ISP Breach Compromises Millions, Threat Actor Threatens Data Leak

Free, a leading French ISP and subsidiary of Iliad Group, confirmed a major data breach on October 26, 2024, impacting millions of subscribers. This announcement followed a threat actor’s offer to sell the stolen data on a cybercrime forum, raising serious concerns about customer data security.

This hack comes on the heels of recent incidents in the French telecom sector, including a July attack on fiber optic cables that caused widespread service disruptions across several regions. These attacks, especially amid the high-profile Olympic Games event, have underscored the vulnerability of critical telecom infrastructure and heightened national concerns about cybersecurity.

In response to this latest breach, the telecom provider has notified regulatory authorities and strengthened its system defenses to limit further risk to affected users. In this post, we look into the details of the Free breach, its impact on customers, and steps to help safeguard against similar threats.

Details of the Breach

The breach at Free targeted an internal management tool, allowing attackers unauthorized access to specific subscriber information. The exposed data reportedly includes customers’ names, phone numbers, email addresses, postal addresses, dates of birth, and IBANs for some fixed-line subscribers.

Despite the large-scale data breach, Free has assured customers that no highly sensitive information, such as passwords, bank card details, or communication contents like emails, SMS messages, or voicemails, was accessed.

The attack was first brought to light when a threat actor attempted to sell the stolen data on BreachForums, boasting access to information belonging to millions of Free’s subscribers.

The data, which allegedly impacts over 19 million users and includes more than 5.11 million IBANs, was put up for auction. To lend credibility to their claims, the threat actor posted samples, including screenshots and database headers. They also offered prospective buyers the chance to search the database for verification.

The data breach reportedly impacts both Free Mobile and Freebox customers, with the stolen data dating back to October 17, 2024. Also notably, the cybercriminal behind the breach created their profile only a day prior to announcing the leak.

Threat Actor Increases Pressure on Free, Threatening to Leak the Data

On October 26, 2024, the same day Free confirmed the data breach, the threat actor posted a new message on the Dark Web forum, raising the stakes with a threatening ultimatum.

The post involved “100,000 lines of French IBANs from Free customers” and mentioned that a copy of this data would be sold for over $70,000 if Free did not intervene in the auction. The threat actor hinted at “serious consequences for customers” if the data remained unsold, suggesting that they might release it publicly on the forum if no one purchases it.

This additional threat amplifies the risks to affected customers, as public exposure of sensitive information could lead to widespread misuse and further compromise their privacy and security.

Potential Consequences and Risks for Free’s Subscribers

The breach at Free carries significant implications for both affected customers and the company’s reputation. With exposed data that includes IBANs, contact information, and other personal details, subscribers now face potential threats to their privacy and security.

While Free has clarified that the stolen IBANs alone are insufficient to initiate unauthorized debits, the presence of such sensitive information could still fuel targeted phishing attacks, identity theft, and other forms of fraud.

In the wake of this breach, organizations can benefit from enhanced cybersecurity strategies, including Dark Web monitoring and real-time alerts for exposed data. SOCRadar’s Advanced Dark Web Monitoring module can help by tracking mentions of sensitive information on dark web forums and marketplaces, providing timely alerts when customer data or other critical assets are at risk.

With automated alarms, companies like Free can take swift action to protect their subscribers and respond proactively to emerging threats.

Free’s Actions and What This Breach Means for the Telecom Sector

In the wake of this breach, the telecom provider has strengthened its cybersecurity defenses, filed a criminal complaint, and alerted regulatory bodies including CNIL and ANSSI. To keep customers informed, the company is also sending direct notifications to affected individuals, offering guidance on how to stay protected.

This incident underscores a pressing issue for the telecom industry in France and beyond – the security of customer management systems that hold vast amounts of sensitive data. With multiple recent attacks targeting French telecom providers, there is an urgent need for industry-wide standards to secure customer data and prevent unauthorized access.

At this time, subscribers are advised to avoid clicking on suspicious links, refrain from sharing sensitive information, and secure their accounts with strong passwords, as well as enable Multi-Factor Authentication (MFA).

Stay ahead of emerging threats with SOCRadar’s Dark Web News, which delivers timely updates on hacker activity:

Monitoring dark web forums and hacker channels helps your organization stay proactive, providing the insights needed to anticipate and counter potential security risks.