Free ISP announces data breach, millions of users possibly affected

News
By
published

More than 19 million customers may have had their sensitive data stolen

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

One of the biggest internet service providers (ISP) in France has confirmed suffering a cyberattack that saw it lose sensitive customer data.

A threat actor alias “drusselx” opened a new thread on the infamous Breach forums, advertising a major database for sale, claiming it contains data on 19.2 million Free customers, and holds more than 5.11 million IBAN numbers.

An IBAN (International Bank Account Number) is a unique identifier for bank accounts used in international transactions to ensure accuracy and streamline cross-border payments. While an IBAN cannot be used directly to make money withdrawals, it is still a valuable piece of information that can be abused in other ways. “It affects all Free Mobile and Freebox customers, and includes the IBANs of all 5.11 million Freebox subscribers,” the ad concluded.

Smash and grab

"The affected subscribers have been or will be informed by email shortly," a Free spokesperson told BleepingComputer. "No operational impact was observed on our activities and services" the spokesperson added, stating that "all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems."

It seems this was a simple smash-and-grab. The company filed a criminal complaint, and notified the appropriate authorities. Free also added that the crooks did not steal passwords, bank card information, and communications content (even though drusselx did not mention it).

The ISP had almost 23 million subscribers this summer, and is considered the second-largest telecommunications company in France.

It warned customers to be vigilant of any suspicious bank transfers, noting, "If subscribers nevertheless notice an unusual direct debit, not corresponding to any date and no known invoice amount, their bank is obliged to reimburse them. They have 13 months to report the fraudulent direct debit."

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.