The Iliad group, which owns Free, admitted on October 25 that it was the victim of a cyberattack targeting a management tool. This breach allowed unauthorized access to part of the personal data of some subscribers, affecting over 19.2 million individuals, including names, birth dates, phone numbers, and email addresses. The hacker claimed to have sold this data, which includes 5.1 million bank account numbers, for $175,000. Free is notifying affected customers and offering assistance to address potential risks of identity theft and fraudulent transactions.
The Iliad group, which owns Free, has acknowledged that it fell victim to a cyberattack on Friday, October 25th, targeting a management tool. This breach resulted in unauthorized access to certain subscribers’ personal data. The perpetrator of this cyber heist claims to possess over 19.2 million personal details, including names, birth dates, phone numbers, email addresses, and postal addresses belonging to Free customers. Additionally, around 5.1 million IBANs (International Bank Account Numbers) may also be affected. The attacker has since stated that they sold the database containing this information for $175,000 ((new window) or 160,000 euros).
How can I determine if I am affected?
At this point, Free has not specified how many subscribers have been impacted. However, the company has begun notifying affected customers via email, particularly regarding their IBANs. The mobile operator and internet service provider assured, “All necessary measures have been immediately taken to end this attack and enhance the security of our information systems.” They added, “We sincerely regret this breach of your information’s confidentiality.” Free has established a support line (0 805 921 100) that is available seven days a week from 9 AM to 6 PM, free of charge, for inquiries.
What threats are Free customers facing?
Now that the database has been sold to a hacker (or potentially a group of hackers), it will be exploited to profit from the investment. Cybersecurity expert Baptiste Robert shared, “Given the announced purchase price by the cyberattack’s author, it is likely that the buyer will keep the database for a while.” He explained that the hacker will then sell the data piece by piece to other hackers, who will subsequently market it to others. Eventually, as the database’s value diminishes, it will likely be made public, allowing anyone to access it for free.
According to Robert, it’s likely that many of these details have already leaked in the past and are circulating. The most concerning aspect in this case is the banking information. “The hackers will use them to tailor and make their scamming attempts more convincing,” he warned, highlighting risks like identity theft and phishing campaigns. “Affected individuals will receive emails and texts urging them to click on fraudulent links aimed at stealing their usernames, passwords, or banking details. Identity theft remains a significant threat that warrants increased vigilance,” he added.
Increased risk of fraudulent withdrawals
While the leak of IBANs can be alarming, the Bank of France clarified that providing your bank account details (including IBAN) is not inherently risky. In fact, for a beneficiary to withdraw from your account, you must authorize it by signing a direct debit mandate. However, a fraudster “registered as a direct debit issuer with a payment service provider” could easily forge mandates for direct debits to IBANs they obtained unlawfully and without permission, thereby misappropriating funds,” warned the French Banking Federation (FBF).
Fraudsters “can also subscribe to services or contracts that would be paid via direct debit,” the FBF noted. The Observatory on Payment Means Security (OSMP) recommends “regularly checking” and “updating your online banking portal with the list of authorized or banned creditors.” It is also advisable to monitor “carefully and regularly the direct debit transactions on your account and contest any fraudulent activity.” Refunds “are unconditional within eight weeks, regardless of whether there is a direct debit mandate.”
Challenges can be raised within thirteen months of the debit date. This period is reduced to seventy days when the payment recipient is outside the European Union (EU) or the European Economic Area. Your bank must refund the debited amount by the next business day and restore your account to its state as if the transaction had not occurred. As a precaution, reaching out to your banker can be wise to alert them about the situation and the heightened fraud risk concerning your bank account.