France’s data protection regulator, CNIL, has fined telecom giant Groupe Iliad $48 million due to significant cybersecurity lapses that led to a data breach affecting 24 million subscribers. The breach, which occurred in October 2024, allowed hackers to access sensitive personal information, including international bank account numbers, from the systems of Free SAS and its subsidiary, Free Mobile. CNIL determined that both companies violated the General Data Protection Regulation (GDPR) and imposed fines of €27 million ($31 million) on Free and €15 million ($17 million) on Free SAS. The investigation revealed that the companies had inadequate security measures in place, such as a weak authentication process for their VPNs and a failure to detect unusual activity in their systems. They also did not comply with GDPR requirements by failing to inform affected customers adequately about the breach and the steps they could take to mitigate its impact. CNIL highlighted the companies’ negligence, pointing to their lack of understanding of basic security principles. In response to the fine, a spokesperson for Groupe Iliad announced plans to appeal the decision, arguing that the penalties are excessive compared to previous cases. They claimed to have since bolstered their security measures and stated that their systems now adhere to the highest security standards. The regulator noted that the companies must continue to enhance their security protocols going forward.