Free, a major internet service provider (ISP) in France, confirmed over the weekend that hackers breached its systems and stole customer personal information.
The company, which says it had over 22.9 million mobile and fixed subscribers at the end of June, is the second-largest telecommunications company in France and a subsidiary of the Iliad Group, Europe’s sixth-largest mobile operator by number of subscribers.
Free has since filed a criminal complaint with the public prosecutor and notified the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI) of the incident.
“The affected subscribers have been or will be informed by email shortly,” a Free spokesperson told BleepingComputer, adding that “no operational impact was observed on our activities and services” and “all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems.”
Free added that the attack targeted a management tool that exposed subscribers’ data. However, the attackers failed to access customer passwords, bank card information, and communications content (including “emails, SMS, voice messages, etc.”).
The data stolen in the attack is now being auctioned on BreachForums to the highest bidder, with the threat actor—known as “drussellx”—claiming that the breach impacts almost a third of France’s population.
“The data breach affects 19.2 million customers and contains over 5.11 million IBAN numbers. It affects all Free Mobile and Freebox customers, and includes the IBANs of all 5.11 million Freebox subscribers,” the threat actor says.
They also provided an archive containing some of the allegedly stolen data, screenshots, and database headers as proof that the data being auctioned is legitimate.
As further proof, the threat actor said they’re also willing to let potential customers search the stolen database to ensure that “the entire database that has been recovered” is for sale.
Regarding the stolen IBANs (International Bank Account Numbers), Free says the attackers could only steal those of certain fixed subscribers and that they’re “not enough to make a direct debit from a bank.”
“If subscribers nevertheless notice an unusual direct debit, not corresponding to any date and no known invoice amount, their bank is obliged to reimburse them. They have 13 months to report the fraudulent direct debit,” Free said,
“We also invite them to be vigilant against phishing attempts. Never communicate your access codes or bank card whether by email, SMS or during a call.”
A Free spokesperson has yet to provide more information about when the incident was detected and how many customers were impacted by the breach after being contacted by BleepingComputer for more details earlier today.