French internet service provider Free confirms data breach

Free, the second largest internet service provider in France, acknowledges it was the target of a massive cyberattack last Friday, leaking personal information of potentially millions of customers.

According to French news outlets like Le Figaro, the threat actor responsible for the data breach was able to obtain 5.11 million IBAN-numbers

A Free spokesperson told BleepingComputer that the attacker targeted a management tool containing personal information of its customers.

The spokesperson wouldn’t say what details were exfiltrated. The telephone operator however confirmed to French media that the threat actor was able to steal names, dates of birth, postal addresses, email addresses, telephone numbers, subscriber identifiers, and contractual data.

No passwords, bank card information or external communication were obtained.

Affected customers have been or will be informed shortly. The French data protection authority CNIL and France’s national cybersecurity agency ANSSI have been notified of the incident.

The spokesperson adds that “all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems”.

Meanwhile, a threat actor called ‘drussellx’ posted a message on BreachForums, claiming he’s responsible for the breach at France’s second largest internet service provider.

“Today, I’m selling the database of the French-based ISP ‘Free SAS’. The data breach affects 19.2 million customers and contains over 5.11 million IBAN numbers. It affects all Free Mobile and Freebox customers, and includes the IBANs of all 5.11 million Freebox subscribers,” he says on the dark web.

The hacker allegedly stole 43.6 GB of data from Free.

The telephone operator has yet to confirm how many customers have been impacted by the data breach. The company recommends victims to closely monitor their financial transactions, report any suspicious activity, and to be vigilant against phishing attacks.