Free, SFR, Orange, Bouygues: French Telecom Operators Under Siege from Cyberattacks

On October 28, 2024, a hacker posted a data sample from Free Mobile on BreachForums. He claimed to hold the personal information of 19.2 million customers and the IBANs of 5 million Freebox subscribers. The bidding opened at $10,000. Days later, he announced the lot had sold for 160,000 euros.

Three weeks earlier, SFR had confirmed a breach affecting 3.6 million customers, IBANs included. Months before that, Altice (SFR's parent company) had seen 1.4 million records exfiltrated. La Poste Mobile, paralyzed by a LockBit ransomware attack in 2022, had its customer data published on the dark web. Orange, a decade earlier, had suffered two breaches in three months. Bouygues Telecom was not spared either.

Over ten years, all four major French telecom operators have been hit. None escaped. And the trend is accelerating: 2024 was, by far, the worst year yet.

This article reconstructs the full timeline of each incident, analyzes the attack vectors, explains why telecom operators are prime targets, and details the concrete consequences for the millions of French citizens whose data has been compromised. Every data point cited comes from verifiable sources: CNIL (France's data protection authority), ANSSI (France's national cybersecurity agency), Cybermalveillance.gouv.fr, corporate filings, and court documents.

For broader context on data breaches in France, see our directory of the 50 largest French data breaches.

Why Telecom Operators Are Prime Targets

Before diving into the incident timeline, it is worth understanding what makes telecom operators so attractive to attackers. The answer boils down to three factors: volume, quality, and monetization.

Data Volume

A telecom operator like Free, SFR, or Orange manages tens of millions of customer accounts. Free reported 23.06 million mobile and fixed-line subscribers at the end of September 2024 (ARCEP Q3 2024 report). SFR had 23.4 million. Orange had 46.2 million in France. Bouygues Telecom had 15.5 million. A single compromised credential granting access to an internal management tool can expose nearly the entire database.

Compare that to a breach at a retail chain or a hospital: the volumes are in a different league entirely. When a hacker compromises a telecom operator, they obtain a "mega-lot" of data that can be sold in bulk or sliced into subsets on cybercriminal marketplaces.

Data Quality

The data held by a telecom operator goes well beyond an email address and a password. It includes:

• Full legal identity: first name, last name, date of birth, postal address. In France, operators are required to verify customer identity under the 2006 anti-terrorism law.
• Contact details: email, mobile phone number.
• Contract data: subscription type, customer number, sign-up date, contract duration.
• Banking data: IBAN for direct debits, and sometimes the last four digits of the credit card.
• Technical identifiers: IMSI numbers (SIM card identifier on the network), IP addresses, connection history.

This combination of data makes telecom customer databases prime raw material for three types of fraud: identity theft, SEPA direct debit fraud, and SIM swapping.

Monetization on the Dark Web

According to a 2024 Kaspersky report, a complete telecom customer record (identity + IBAN + mobile number) sells for 30 to 50 euros on dark web marketplaces. For a lot of 5 million records with IBANs - exactly what the Free hacker obtained - the wholesale price ranged from 75,000 to 160,000 euros. It is no coincidence the auction closed at 160,000 euros.

For perspective: a complete medical record sells for 150 to 250 euros (Ponemon Institute, 2023), but the volumes available per incident are far smaller. The volume-to-price ratio of telecom data makes it particularly profitable for resellers.

Free Mobile (October 2024): 19.2 Million Customers, 5 Million IBANs

This is the largest telecom operator hack in France. And one of the most severe data breaches in the country's history, after France Travail (43 million) and Viamedis-Almerys (33 million). For details on the France Travail attack, see our full analysis of the France Travail breach.

Timeline

October 21, 2024 - A user on the cybercriminal forum BreachForums, operating under the alias "drussellx," posts a message claiming to hold the data of 19.2 million Free customers. He publishes a sample of 100,000 rows to prove the data's authenticity.

October 25, 2024 - Free confirms it was the victim of a cyberattack targeting an internal "management tool." The operator files a criminal complaint and notifies the CNIL.

October 28, 2024 - The hacker puts the data up for auction on BreachForums. The starting price is set at $10,000. He reveals the lot includes the IBANs of 5 million Freebox subscribers.

October 29, 2024 - Free begins sending individual notifications to affected customers, as required by the GDPR. Two waves of notifications go out: one for customers whose personal data alone was compromised, and a second for those whose IBANs were also exposed.

October 31, 2024 - The hacker announces the data has been sold for 160,000 euros to a single buyer.

November–December 2024 - The first waves of fraudulent SEPA direct debits begin hitting victims' bank accounts. Hundreds of reports surface on social media and consumer forums.

Data Compromised

Data type	Number of people affected
Full name, date of birth	19.2 million
Email address	19.2 million
Postal address	19.2 million
Phone number	19.2 million
Subscription details (plan, sign-up date)	19.2 million
IBAN	5 million (Freebox subscribers)

The Attack Vector

Free never officially disclosed the precise attack vector. However, based on information published by the hacker and analysis from multiple security researchers, access was obtained through a compromised account with access to an internal customer management tool. This type of tool - often a CRM web portal used by customer service agents or retail store advisors - is a well-known weak point at telecom operators.

The question nobody asked publicly: why did a single account have access to all 19.2 million records? Access segmentation and the principle of least privilege should have limited the damage to a few thousand records at most. The absence of detection during several days of massive data exfiltration is another red flag.

The Fallout: A Wave of IBAN Fraud

The leak of 5 million IBANs triggered a fraud wave of unprecedented scale in France. To understand the mechanism, you need to know how SEPA direct debits work.

A SEPA direct debit can be initiated by any creditor holding a signed mandate from the debtor and the debtor's IBAN. In theory, the debtor's bank verifies the mandate before authorizing the debit. In practice, within the pan-European SEPA system, verification is weak: the debtor's bank trusts the creditor's bank, which trusts the creditor.

This is exactly what happened starting in November 2024. Reports of unauthorized direct debits multiplied. Amounts of 49.99 euros, 29.90 euros, or 19.99 euros - low enough to avoid triggering automatic alerts, high enough to be profitable at scale - appeared on the bank statements of thousands of victims.

The Banque de France (France's central bank) reminded the public that victims had a 13-month window to dispute an unauthorized SEPA direct debit (article L133-24 of the Monetary and Financial Code), with mandatory reimbursement within one business day. But how many people check every line of their bank statement?

Cybermalveillance.gouv.fr published a dedicated guide on the risks of stolen IBANs in November 2024, advising victims to:

• Contact their bank immediately
• Set up a whitelist of authorized creditors
• Monitor account activity daily
• Report any suspicious debit

SFR: A Series of Breaches in 2023–2024

SFR did not suffer one breach. It suffered several, over a span of less than 18 months. This accumulation raises serious questions about the cybersecurity maturity of France's second-largest telecom operator.

The Altice/SFR Breach of 2023 - 1.4 Million Records

In August 2023, a hacker listed for sale on BreachForums a file containing 1.4 million records presented as coming from Altice France's (SFR's parent company) customer database. The data included names, addresses, emails, phone numbers, and contract details.

Altice initially downplayed the incident before acknowledging that some of the data was authentic. The company was going through a major financial and managerial crisis at the time (debt restructuring, Patrick Drahi stepping back from operations), which likely did not help prioritize cybersecurity investments.

The SFR Breach of September 2024 - 3.6 Million Customers

On September 3, 2024, SFR notified the CNIL of a data breach. The attack targeted an order management tool accessed via compromised credentials. The data of 3.6 million customers was exposed:

• Names, contact details
• Contract numbers
• Subscription plan details
• For a subset of customers: IBANs and IMSI numbers

The exposure of IMSI numbers is particularly concerning. The IMSI (International Mobile Subscriber Identity) uniquely identifies a SIM card on the network. It is used in network authentication procedures. Combined with other data, it can facilitate advanced SIM swapping attacks.

The Repeating Pattern

Two breaches at SFR/Altice in under 18 months, with the same attack vector (compromised internal management tool via stolen credentials) and the same type of data exposed. This repetitive pattern suggests the corrective measures taken after the first breach were insufficient: either MFA was not deployed across all administration tools, access segmentation was not reviewed, or anomalous behavior detection was not in place.

The CNIL opened investigations into both incidents. At the time of writing, no sanctions have been handed down.

Orange: The First Operator Hit, Back in 2014

Orange was the first French telecom operator to suffer a large-scale data breach. In 2014, when awareness of cyber risk in France was still in its infancy, two incidents in three months cast a harsh light on the vulnerability of operator customer databases.

January 2014: 1.3 Million Customers

On January 16, 2014, Orange announced it had been the victim of an intrusion that led to the theft of data belonging to 1.3 million individuals - a mix of customers and prospects. The compromised data included names, email addresses, landline and mobile phone numbers, dates of birth, and the name of the mobile carrier (for non-Orange customers).

The attack vector was identified as a compromise of the technical platform of an external contractor responsible for sending commercial emails and SMS on behalf of Orange. This was one of the first cases in France where a major company's data breach originated from a supply chain vendor.

April 2014: Another 800,000 Customers

Three months later, on May 6, 2014, Orange disclosed a second intrusion. This time, 800,000 customers were affected. The data was similar: names, email addresses, phone numbers, dates of birth. Orange added that data about household composition and employer name was also among the compromised information.

The attack exploited a web page in Orange's Mon Compte (My Account) portal, where a technical flaw allowed unauthorized access to a server containing customer data.

Two Incidents, Two Vectors, One Outcome

What stands out about the two Orange incidents of 2014 is the diversity of vectors: the first came through an external contractor, the second through a direct web vulnerability. The operator had to acknowledge that its attack surface had gaps both internally and across its subcontracting chain.

At the time, the CNIL issued Orange a public warning - the harshest sanction available for this type of violation in 2014, before the GDPR took effect. Orange was required to strengthen its vendor oversight procedures and implement periodic security audits.

These incidents must be viewed in context: in 2014, the GDPR did not yet exist (it would take effect in 2018). The French Data Protection Act (Loi Informatique et Libertés) imposed a security obligation (article 34), but fines were capped at 150,000 euros. Today, the same incidents would expose Orange to penalties of tens of millions of euros.

Bouygues Telecom (2023): When the Weak Link Is a Partner

In September 2023, a hacker listed for sale on a cybercriminal forum a file containing data on 200,000 Bouygues Telecom customers. The data included names, email addresses, phone numbers, and subscription details.

The Vendor Compromise

Bouygues Telecom confirmed the incident and specified that the breach did not originate from its own IT systems but from those of a commercial partner with access to a portion of the customer database for loyalty and marketing operations. The vendor had been compromised through its own systems, allowing the attacker to exfiltrate the customer data it legitimately had access to.

The Structural Supply Chain Problem

The Bouygues case illustrates a problem found across the majority of telecom sector breaches: vendor dependency. An operator like Bouygues Telecom works with dozens of commercial, technical, and logistics partners that have varying degrees of access to customer data:

• Marketing and loyalty agencies
• Customer service contractors (outsourced call centers)
• Distributors and resellers (partner retail locations)
• Technical subcontractors (network maintenance, billing)
• Delivery and logistics platforms

Each of these links is a potential entry point. And a chain is only as strong as its weakest link. ANSSI estimated in its 2024 Cyber Threat Overview (Panorama de la cybermenace 2024) that supply chain attacks increased by 30% year-over-year and now represent a major compromise vector for large French enterprises.

For SMBs working with these vendors - or serving as subcontractors to an operator themselves - the risk is twofold: they can be collateral victims of a breach, but also an unwitting vector of compromise. Auditing the email security of your partners is a concrete first step in supply chain oversight.

La Poste Mobile: Ransomware, Published Data, SIM Swapping

La Poste Mobile, a mobile virtual network operator (MVNO) running on SFR's network with roughly 2 million subscribers, suffered two distinct types of attacks between 2022 and 2023.

July 2022: The LockBit Attack

On July 4, 2022, the LockBit 3.0 ransomware group claimed an attack against La Poste Mobile. The operator's website was taken offline. IT systems were encrypted. LockBit issued an ultimatum: pay a ransom within 10 days, or the stolen data would be published.

La Poste Mobile confirmed the attack on July 8. The operator stated that customer data had potentially been compromised: names, addresses, phone numbers, dates of birth, and in some cases, digitized identity documents submitted during sign-up.

On July 12, LockBit began publishing samples of the stolen data on its dark web site. The data included scans of national ID cards, passports, and proof-of-address documents.

The publication of digitized identity documents represents a higher level of severity than a "standard" breach. A scanned national ID card enables full-blown identity theft: opening bank accounts, taking out loans, forging administrative documents. La Poste Mobile victims face an identity theft risk that will persist as long as their ID document remains valid - up to 15 years for a French national ID card.

2023: SIM Swapping Campaigns

In the months following the LockBit breach, SIM swapping campaigns specifically targeting La Poste Mobile customers were reported. SIM swapping - covered in detail later in this article - involves transferring a victim's phone number to a SIM card controlled by the attacker by impersonating the customer to the operator.

The data stolen during the LockBit attack provided exactly what was needed for these attacks: the customer's full identity, phone number, and in some cases, a copy of their ID document. Victims reported on the Que Choisir and Signal Arnaques forums discovering that their line had been transferred to another SIM without their consent, followed within hours by unauthorized bank debits.

This is a textbook example of cascading threats: a data breach fuels targeted fraud campaigns months or even years later.

The Systemic Supply Chain Problem in Telecoms

Reading through the timeline of each incident, a common thread emerges: in the majority of cases, the compromise did not target the operator's core network systems but rather peripheral tools or third-party vendors.

Recurring Attack Vectors

Incident	Vector
Orange (January 2014)	Compromised email marketing vendor
Orange (April 2014)	Web vulnerability in customer portal
La Poste Mobile (2022)	LockBit ransomware (initial access unspecified)
Altice/SFR (2023)	Internal system compromise
Bouygues Telecom (2023)	Compromised commercial partner
SFR (September 2024)	Order management tool compromised via stolen credentials
Free (October 2024)	Internal management tool compromised via stolen account

Out of seven major incidents, at least three directly involve a vendor or partner, and three others went through internal administration tools (often used by contractors or subcontractors). The telecom network itself - the infrastructure that carries your calls and data - is not the target. CRM systems, order management tools, partner portals, and marketing platforms are.

Why Internal Tools Are the Soft Underbelly

A telecom operator invests heavily in core network security: service continuity depends on it. But customer management tools, often built up over years through layers of application code, rarely receive the same level of protection.

These tools are accessible to thousands of users: retail store agents, call center advisors (including offshore call centers), field technicians, commercial partners. Each user is a potential entry point. Deploying MFA on these tools runs into operational constraints (login times in retail stores, staff turnover in call centers), and granular access segmentation - which would prevent a store agent from exporting 19 million records - is often sacrificed for operational speed.

This is a classic security-versus-productivity tradeoff. But when the consequence of a single compromised account is the exposure of 19.2 million records, the tradeoff is the wrong one.

What Happens to Stolen Data: From the Dark Web to Your Bank Account

A data breach is not a one-time event. It is the start of a fraud chain that can last years. Here are the three main ways stolen telecom data is exploited.

Resale on Cybercriminal Marketplaces

Stolen data is first sold in bulk (the "mega-lot"), then sliced into specialized subsets and resold to specialized fraudsters. A lot containing IBANs goes to banking fraud specialists. A lot containing IMSI numbers goes to SIM swapping specialists. A lot containing emails goes to phishing campaign operators.

The shelf life of data on criminal marketplaces is long. Data stolen from Orange in 2014 is still circulating in 2026. Names and dates of birth do not change. Addresses rarely change. The data accumulates, cross-references, and enriches itself: an attacker can combine Free breach data (name + address + IBAN) with France Travail breach data (social security number) to build a complete identity theft dossier.

Targeted Phishing (Spear Phishing)

Telecom breach data feeds directly into phishing campaigns. An attacker who knows your name, your operator, your subscription plan, and your address can send you an email or SMS that perfectly mimics a communication from Free or SFR:

"Mr. Dupont, following the security incident you were notified about, we invite you to update your banking details to avoid any service interruption. Click here to access your secure customer portal."

This type of message is highly effective because it references a real event (the victim knows there was a breach), it is personalized (the name and operator are correct), and it exploits the psychological biases of urgency and authority that drive immediate action.

According to the Cybermalveillance.gouv.fr 2024 barometer, phishing reports impersonating telecom operators increased by 78% between October and December 2024, in direct correlation with the Free and SFR breaches. The exploitation is mechanical: when the data is fresh, phishing campaigns launch within days.

For a deeper look at phishing mechanics and how to test your team's resilience, see our guide to phishing simulation in the workplace.

SIM Swapping: The Attack That Drains Your Bank Account

SIM swapping is arguably the most severe consequence of telecom data breaches, because it bypasses SMS-based two-factor authentication (2FA) - the security mechanism used by the vast majority of French banks.

How it works:

1. The attacker has the victim's personal data (name, date of birth, address, customer number) from a telecom breach.
2. He contacts the operator (by phone, in-store, or through the customer portal), impersonating the victim.
3. He requests a SIM replacement, claiming loss, theft, or a phone change.
4. The operator, after identity verification (security questions the attacker can answer using the stolen data), transfers the number to a new SIM.
5. The victim immediately loses mobile network service.
6. The attacker, now receiving the victim's SMS messages, accesses their bank accounts and validates transfers or payments.

The OCLCTIC (France's central office for the fight against IT-related crime) reported a 40% increase in SIM swapping reports in France in 2024, a spike directly correlated with the SFR and Free breaches.

The amounts at stake are substantial. In June 2023, the French national police dismantled a SIM swapping ring that had stolen over 600,000 euros in just a few months. Victims were systematically identified using data from previous breaches.

This is why cybersecurity professionals recommend never using SMS as a second authentication factor, and instead using an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) or a physical security key (YubiKey, Titan).

The IBAN Fraud Wave: A New Phenomenon in France

Before the Free breach of October 2024, SEPA direct debit fraud using stolen IBANs was a relatively marginal phenomenon in France. IBANs circulate naturally (you give them to your employer, landlord, and creditors), but their mass exploitation for fraud requires a volume of data that only a major breach can provide.

How Fraudulent SEPA Direct Debits Work

The SEPA direct debit system relies on a mandate signed by the debtor authorizing the creditor to withdraw funds from their account. In theory, the debtor's bank verifies the mandate before authorizing the debit. In practice, within the pan-European SEPA system, verification is weak: the debtor's bank trusts the creditor's bank, which trusts the creditor.

A fraudster can therefore:

1. Set up a shell company (or use an existing one)
2. Open a bank account in the company's name
3. Register as a SEPA creditor with the bank
4. Submit direct debit requests using stolen IBANs
5. Withdraw moderate amounts (10 to 50 euros) to avoid triggering alerts
6. Transfer the funds to overseas accounts before disputes are filed

The Scale After the Free Breach

After the Free breach, reports of unauthorized SEPA direct debits surged. The Observatoire de la sécurité des moyens de paiement (a Banque de France oversight body) issued a statement in December 2024 reminding consumers of their rights and banks of their obligations.

Several attorneys specializing in banking law reported a surge of clients victimized by fraudulent direct debits starting in November 2024. Maitre Helene Lebon, a Paris-based attorney specializing in cybercrime, told L'Express that "the IBANs from the Free breach are fueling a fraud industry that will last months, if not years."

How to Protect Yourself

Protection against IBAN fraud rests on three pillars:

1. Creditor Whitelisting Most French banks allow you to restrict SEPA direct debits to creditors you have explicitly authorized. This feature, known as a "whitelist" or "authorized creditor list," is accessible through the online banking portal of most banks. If your bank does not offer it, demand it in writing.

2. Daily Monitoring Check your bank statements every day. Fraudsters count on the fact that most people only review their statements once a month. A fraudulent debit of 19.99 euros can go unnoticed for weeks if you are not looking.

3. Prompt Dispute If you spot an unauthorized direct debit, you have 13 months to dispute it (article L133-24 of the Monetary and Financial Code). The bank is required to reimburse you within one business day. Do not wait: the faster the dispute, the higher the chances of tracing and blocking the fraudster.

Regulators Facing Telecom Breaches: CNIL, ARCEP, and the Limits of the System

French telecom operators are subject to a dual regulatory framework covering data protection and network security.

The CNIL: The GDPR's Enforcement Arm

The CNIL (Commission nationale de l'informatique et des libertes, France's data protection authority) is responsible for sanctioning failures in personal data protection. Under the GDPR (effective since 2018), fines can reach 20 million euros or 4% of global annual turnover.

The CNIL opened investigations after the Free and SFR breaches of 2024. But proceedings are slow. For comparison, the 50-million-euro fine imposed on Google in 2019 for consent violations was issued six months after the complaint. More complex cases take 12 to 24 months.

Past CNIL sanctions against operators remain modest relative to the stakes. The public warning issued to Orange in 2014 carried no financial penalty. Whether the 2024 breaches - which occurred under the GDPR regime - will result in penalties proportional to the severity of the failures remains to be seen.

For SMBs that are customers of these operators and whose client data transited through compromised systems, the liability question is complex. The GDPR requires every data controller to verify that its processors provide "sufficient guarantees" of security (article 28). If you shared client data with an operator that gets hacked, your own liability may be engaged if you did not take steps to assess and manage the processor's security.

ARCEP: Network Security

ARCEP (Autorite de regulation des communications electroniques, des postes et de la distribution de la presse - the French telecom and postal regulator) oversees network and electronic communications service security. Article L33-1 of the Postal and Electronic Communications Code requires operators to take measures to "guarantee the security and integrity of networks and services."

ARCEP can impose financial sanctions of up to 3% of turnover (5% for repeat offenses) for security failures. In practice, ARCEP has historically focused more on network access and competition issues than on information system cybersecurity. The 2024 breaches could shift that dynamic.

The NIS2 Directive: A New Framework in 2025

The transposition of the NIS2 directive into French law (scheduled for October 2024, effective in early 2025) classifies telecom operators as essential entities, subject to the strictest cybersecurity obligations. Concretely, NIS2 mandates:

• Board-level cybersecurity governance
• Regular, documented risk assessments
• Supply chain security
• Notification of "significant" incidents within 24 hours (preliminary alert) then 72 hours (full notification)
• Regular security audits

NIS2 penalties for essential entities reach 10 million euros or 2% of global annual turnover. These stack on top of GDPR and ARCEP sanctions, creating a regulatory overlay that should, in theory, push operators to invest more in security.

UFC-Que Choisir vs. Free: The Class Action

In December 2024, UFC-Que Choisir (France's leading consumer rights organization) announced a class action lawsuit against Free, arguing the operator had failed to meet its security obligations. This is one of the first class actions involving personal data in France (the mechanism has existed since the 2016 Justice for the 21st Century Act, but remains rarely used).

The outcome of this case will be closely watched across the sector. If Free is ordered to compensate millions of victims individually - even for modest amounts - the signal to other operators will be powerful.

The Full Timeline: Ten Years of Telecom Breaches in France

Here is the compiled chronology of all documented incidents affecting French telecom operators.

Date	Operator	Victims	Key data exposed	Vector
January 2014	Orange	1.3 million	Identity, email, phone	Email marketing vendor
April 2014	Orange	800,000	Identity, email, phone, employer	Web flaw in customer portal
July 2022	La Poste Mobile	~2 million (unconfirmed)	Identity, ID documents, phone	LockBit 3.0 ransomware
2023	La Poste Mobile (SIM swapping)	Undetermined	Fraudulent number transfers	Exploitation of LockBit data
August 2023	Altice/SFR	1.4 million	Identity, address, email, contract	Internal compromise
September 2023	Bouygues Telecom	200,000	Identity, email, phone, subscription	Commercial partner
September 2024	SFR	3.6 million	Identity, contract, IBAN, IMSI	Order management tool
October 2024	Free	19.2 million	Identity, subscription, 5M IBANs	Internal management tool

Total: over 26 million compromised records, not counting duplicates (the same customer hit by multiple breaches). For the full database of cyber incidents in France, see our incident database.

What Businesses That Use These Operators Should Do

If your company uses the services of a French telecom operator - which every company does, without exception - you are affected by these breaches, directly or indirectly.

Your Business Data Is in the Compromised Databases

A professional mobile contract with Free, SFR, Orange, or Bouygues means the names, phone numbers, and email addresses of your employees are in the operator's customer database. If that database is compromised, your employees become identified targets for targeted phishing.

Worse: if attackers know that a specific mobile number belongs to the CFO of a specific company, they have everything they need to mount a "CEO fraud" (business email compromise) attack. Business phishing statistics show that BEC is the costliest vector, with a median cost of 50,000 euros per successful incident according to the FBI IC3.

Immediate Steps

1. Audit the data shared with your operator Identify which employees have professional mobile contracts, what data was shared (IMSI numbers, company IBAN for invoice direct debits, user identities). If that data is in a compromised database, consider it public.

2. Change access credentials If your employees have accounts on operator customer portals (to manage their lines), change the passwords and enable MFA.

3. Alert your employees Inform staff that their data was potentially compromised and that they should be vigilant against phishing attempts impersonating their operator. An internal awareness email with concrete examples of fake messages takes 20 minutes to draft and can prevent an incident.

4. Strengthen banking security If the company's IBAN is in a compromised database, contact your bank to set up a direct debit whitelist and enhanced controls on outgoing transfers.

5. Run a targeted phishing simulation Launch a phishing simulation campaign using a "fake message from your operator" scenario to test employee reactions. The timing is ideal: the context is real, the threat is concrete, and the click rate on this type of scenario is revealing. Running your first simulation takes less than 15 minutes.

The Company's Legal Liability

The GDPR requires data controllers (your company) to account for risks tied to their processors and vendors. If you share client data with a telecom operator that gets hacked, your own liability may be engaged if you did not take steps to evaluate and govern the processor's security.

Concretely, this means:

• Reviewing security clauses in your operator contracts
• Requiring incident notification guarantees
• Documenting your third-party risk assessment process

For SMBs subject to compliance obligations (NIS2, DORA, cyber insurance), proof of a proactive third-party risk management approach is increasingly expected. Our article on cyber insurance and employee training proof details insurer expectations.

How Individuals Can Protect Themselves

If you are or have been a customer of Free, SFR, Orange, Bouygues, or La Poste Mobile over the past decade, there is a very high probability that your personal data appears in at least one compromised database. Here are concrete steps that reduce your exposure.

Secure Your Accounts

Change your passwords on all operator customer portals. Use a unique, complex password (at least 14 characters, generated by a password manager). Never reuse the same password across multiple sites.

Enable two-factor authentication on every account that supports it. Prefer an authenticator app (Google Authenticator, Authy) over SMS. If your bank only offers SMS as a second factor, flag the issue and use every other available protection measure.

Secure Your Finances

Contact your bank to:

• Set up a whitelist of authorized direct debit creditors
• Enable real-time alerts for every direct debit
• Check that no suspicious debits have been initiated recently
• Request a block on unauthorized direct debits

Monitor your bank statements daily for the 6 months following a breach. Fraudsters sometimes wait weeks or months before exploiting stolen data.

Protect Against SIM Swapping

Contact your operator to:

• Set up a security code or additional password for any operation on your line (SIM change, number portability)
• Request that any contract modification requires enhanced verification (in-store visit with government ID)
• Enable SIM change notifications if your operator offers them

Watch for signs of a SIM swap in progress: sudden loss of mobile network, SMS or calls no longer working, notification of a SIM change you did not request. If this happens, contact your operator and your bank immediately.

Stay Vigilant Against Phishing

Be suspicious of any contact claiming to come from your operator or bank. Attackers know that you know about the breaches and use that awareness against you: "following the incident, please verify your details," "your account has been secured - log in to confirm." These messages are traps.

Absolute rule: never click a link received by email or SMS from your operator. Go directly to the official website by typing the URL into your browser. For a deeper look at new phishing forms (quishing, vishing, smishing) and how to recognize them.

After Free: What Changed (and What Didn't)

The Free breach of October 2024 triggered a wave of awareness - at least temporarily. A few shifts are visible.

What Has Moved

The debate over IBAN storage. Several members of the French parliament pressed the government on the need to limit how long operators retain banking data. Does an operator truly need to keep the IBANs of 5 million Freebox customers in a database accessible from an administration tool? Tokenization or storage in a separate cryptographic vault would dramatically limit the damage in case of compromise.

Pressure from cyber insurers. Insurers covering telecom operators' cyber risk have begun demanding proof of access segmentation, universal MFA deployment, and anomalous behavior monitoring. Cyber insurance premiums for operators rose 30 to 50% following the 2024 incidents, according to insurance market sources.

The UFC-Que Choisir action. The class action launched against Free sets a precedent. If it succeeds, it will create case law applicable to the entire sector.

What Has Not Changed

CRM system architecture. Operator customer management tools remain, for the most part, monolithic systems where an authenticated user can access millions of records. Access segmentation by geographic zone, customer type, or data sensitivity level remains the exception, not the rule.

Vendor dependency. The operator business model relies on massive outsourcing: call centers, partner retail stores, technical subcontractors, marketing agencies. Each of these actors has access to customer data, and each is a potential attack vector. The NIS2 directive requires securing the supply chain, but concrete implementation will take years.

SMS as a banking authentication factor. Despite the known risks of SIM swapping, the vast majority of French banks continue using SMS as their sole second factor of authentication for sensitive operations. The PSD2 regulation mandates strong customer authentication but does not prohibit SMS. As long as SMS remains the standard, telecom data will remain a weapon for banking fraud.

The Impact on French SMBs: Beyond Individual Risk

Telecom data breaches do not only affect individuals. For French SMBs, the consequences are multiple and frequently underestimated.

CEO Fraud Risk

When an attacker has the CFO's professional mobile number, email address, and date of birth - all data available in compromised operator databases - they have the raw material to mount a CEO fraud attack. A spoofed phone call (or even an AI-cloned voice) followed by a credible email can convince an employee to process an urgent wire transfer.

The average cost of CEO fraud in France is 150,000 euros according to the OCRGDF (France's central office for the suppression of large-scale financial crime). SMBs, which often lack formalized dual-approval procedures for wire transfers, are the primary victims.

Service Interruption Risk

If an attacker successfully SIM-swaps the number of the company's CEO or IT manager and gains access to cloud accounts protected by SMS-based 2FA, the impact can escalate to complete business shutdown. The average downtime following a cyberattack for an SMB is 3 to 7 weeks, with direct and indirect costs between 58,600 and 466,000 euros.

Regulatory Risk

An SMB whose client data was exposed through a telecom breach must notify the CNIL if it determines the breach poses a risk to the individuals concerned. The fact that the breach originated from a vendor does not exempt it from the notification obligation. The GDPR requires notification within 72 hours - a very tight window for an SMB discovering that one of its processors has been compromised.

Takeaways and Actionable Recommendations

Ten years of data breaches at French telecom operators yield clear conclusions.

First conclusion: the problem is structural

The breaches are not isolated accidents. They result from a model where millions of sensitive data points (identity, banking details, network identifiers) are stored in systems accessible to thousands of internal and external users, with insufficient segmentation and often inadequate access monitoring. Until this architecture changes, breaches will continue.

Second conclusion: the supply chain is the critical weak link

Out of the seven major incidents documented here, at least three are directly attributable to a vendor or partner. Operators invest in core network security but underinvest in supply chain security. NIS2 will compel them to address this, but compliance will be slow and costly.

Third conclusion: stolen data has an unlimited shelf life

Data exfiltrated from Orange in 2014 is still exploitable in 2026. IBANs stolen from Free will fuel fraud for years. A name and a date of birth do not change. This means victim protection cannot be a one-time effort: it must be permanent.

Recommendations for businesses

1. Drop SMS as a second authentication factor. Deploy authenticator apps (Microsoft Authenticator, Google Authenticator) or physical security keys (YubiKey) for all sensitive access.

2. Segment access rights. A call center agent does not need access to 19 million records. Apply the principle of least privilege and log all access to customer data.

3. Monitor your SEPA direct debits. Set up creditor whitelists and real-time alerts on company bank accounts.

4. Train your employees on telecom-themed phishing. Phishing campaigns exploiting operator breaches are surging. A phishing simulation program with scenarios impersonating operators is the strongest defense. The average phishing click rate drops from 33% to under 5% after 12 months of regular simulation.

5. Audit your vendors. Demand proof of MFA, data encryption, and access monitoring. A vendor that cannot provide these guarantees is a risk you carry.

6. Prepare an incident response plan. If your operator notifies you of a breach, you have 72 hours to notify the CNIL if your own clients' data is impacted. That is not the moment to figure out the procedure.

Recommendations for individuals

1. Check your data at haveibeenpwned.com.
2. Change your passwords on all operator customer portals (and everywhere you reused the same password).
3. Enable app-based MFA (not SMS) on all sensitive accounts.
4. Contact your bank to set up a direct debit whitelist.
5. Monitor your bank statements daily.
6. Report any anomaly to your bank and on the Cybermalveillance.gouv.fr platform.

---

The data of over 26 million French citizens is now in the hands of cybercriminals, thanks to telecom operator breaches. That number will keep growing. The question is not whether the next operator will be hit, but when. And your best protection is to assume your data is already compromised - and act accordingly.

For businesses, the first concrete step is testing your employees' resilience to phishing - the vector that directly exploits stolen data. Launch your first phishing simulation in 15 minutes and measure your actual risk level.

Thomas Ferreira - CISSP, cybersecurity consultant. I regularly publish analyses of cyber threats in France. Find all my articles at nophi.sh/en/blog.