SFR, Free, Orange: Your Telecom Operators Lose Your Data
"SFR, Free, Orange: your mobile operators are supposed to protect your data. They regularly fail. And this time, they lost your IBANs."
Table of Contents
- Free: 19 Million Customers Exposed
- SFR: 1.4 Million Customers With IBAN
- Orange: A History of Leaks
- Boulanger: 27 Million Addresses
- Why Are Operators So Vulnerable?
- Telecom-Specific Risks
- How to Protect Yourself
- Your Rights and Recourse
- FAQ
- Conclusion: Operators Failing to Protect
- Sources
In 2024, France's major telecom operators suffered a wave of cyberattacks. SFR, Free, and even Orange saw the data of millions of customers exposed on the dark web.
The most alarming development: for the first time, IBANs (International Bank Account Numbers) were leaked on a massive scale. Your banking details are potentially in the hands of criminals.
Free: 19 Million Customers Exposed
19 million IBANs in the wild: a ticking time bomb for your bank accounts.
The October 2024 Attack
Free suffered one of the most significant data breaches of the year:
| Indicator | Figure |
|---|---|
| Customers affected | ~19 million |
| Data exposed | Name, email, phone, IBAN |
| Date | October 2024 |
| Method | Access to an internal database |
What Was Leaked
| Data | Exposed | Risk |
|---|---|---|
| Full name | Yes | Identity theft |
| Email address | Yes | Phishing |
| Phone number | Yes | Scams |
| Postal address | Yes | Fraudulent mail |
| IBAN | Yes | Fraudulent direct debits |
| Free account ID | Yes | Account takeover |
The IBAN Scandal
This was the first time a massive IBAN leak affected millions of French citizens:
"19 million IBANs in the wild. It's a ticking time bomb for millions of bank accounts."
-- Cybersecurity expert, ZDNet
What a criminal can do with your IBAN:
- Attempt fraudulent direct debits
- Create fake SEPA mandates
- Impersonate your banking identity
- Target you with personalized scams
The IBAN (International Bank Account Number) is used across Europe for SEPA (Single Euro Payments Area) direct debit mandates. Unlike a credit card number, an IBAN alone does not allow someone to withdraw money directly. However, it can be used to set up fraudulent SEPA direct debit mandates -- a criminal registers a fake company, submits your IBAN as having authorized a direct debit, and money is pulled from your account. While reversible, the process is slow and stressful for victims.
Source: Le Monde - Free Hack
SFR: 1.4 Million Customers With IBAN
1.4 million IBANs exposed: your automatic payments at risk.
The 2024 Attack
SFR was also hit, with a particularly concerning detail: IBANs were included in the breach.
| Indicator | Figure |
|---|---|
| Customers affected | ~1.4 million |
| Data exposed | Civil status, address, IBAN |
| Specificity | Customers with automatic payments |
Compromised Data
| Data | Exposed |
|---|---|
| Full name | Yes |
| Postal address | Yes |
| Phone number | Yes |
| Yes | |
| IBAN | Yes |
| Plan details | Yes |
SFR's Response
SFR notified affected customers by email. The operator stated it had:
- Strengthened security measures
- Notified the CNIL (France's data protection authority)
- Filed a criminal complaint
However, the damage was done: the data was already circulating on the dark web. The notification emails themselves became a vector for further attacks, as scammers sent fake "SFR security alert" messages mimicking the legitimate notifications, tricking panicked customers into clicking malicious links.
Source: Numerama - SFR Hack
Orange: A History of Leaks
Repeated incidents since 2014: France's historic operator is not spared.
Recurring Incidents
Orange has experienced multiple security incidents over the years:
| Year | Type of incident | Impact |
|---|---|---|
| 2014 | Massive leak | 1.3 million customers |
| 2020 | Unauthorized access | Customer data exposed |
| 2024 | Multiple incidents | Volume not publicly disclosed |
The Orange Case
Orange communicates less openly about its incidents, but the operator is far from immune:
- Customer data regularly targeted
- Subcontractors sometimes vulnerable
- Legacy systems still in operation
- Less transparent breach disclosures than competitors
Unlike Free and SFR, which were forced into public acknowledgment by the scale of their breaches, Orange has historically been more opaque. The 2014 breach affecting 1.3 million customers was significant at the time, and the pattern of incidents suggests systemic security challenges that the operator has never fully addressed.
Boulanger: 27 Million Addresses
27 million electronics customers: even retailers accumulate your data.
The Connected Case
While not a telecom operator, Boulanger (a major French electronics retailer) deserves mention:
| Indicator | Figure |
|---|---|
| People affected | ~27 million |
| Data leaked | Addresses, emails |
| Date | 2024 |
This breach illustrates the generalized vulnerability of France's digital commerce sector. Boulanger, like telecom operators, accumulated vast databases of customer information over decades of operations -- information that became a goldmine for attackers. The case is connected because many of the same customers who shop at Boulanger are also Free, SFR, or Orange subscribers, meaning criminals can cross-reference data from multiple breaches to build complete victim profiles.
Why Are Operators So Vulnerable?
Aging systems, massive outsourcing, valuable data: a perfect storm.
1. Complex Legacy Systems
Telecom operators manage aging infrastructure:
- Databases sometimes 20-30 years old
- Multiple poorly secured interfaces
- Incomplete migration to cloud
- Accumulated technical debt
French telecom operators built their IT systems in the 1990s and early 2000s, when cybersecurity was an afterthought. These systems were designed for reliability and scale, not security. Migrating them is enormously expensive and risky -- any downtime means millions of customers lose service. So operators patch and extend rather than rebuild, creating an ever-growing attack surface.
2. Outsourcing Risks
Many functions are externalized:
| Function | Outsourced | Risk |
|---|---|---|
| Customer service | Often | Data access |
| Billing | Sometimes | Banking data |
| IT | Frequently | System access |
| Marketing | Often | Customer databases |
Each subcontractor is a point of vulnerability. A call center agent in an outsourced facility has access to customer names, addresses, phone numbers, and often banking details. If that facility's security is compromised -- or if an employee is bribed or coerced -- the entire customer database is at risk. Several major French data breaches have been traced back to compromised subcontractor access.
3. Valuable Data
Operators hold data that is extremely attractive to criminals:
- Complete identity (full name, date of birth)
- Contact details (phone, email, postal address)
- Banking data (IBAN for direct debits)
- Consumption habits and plan details
This combination is the holy grail for identity thieves. With a name, address, phone number, and IBAN from a telecom breach, a criminal has most of what they need to impersonate someone -- open accounts, take out loans, or commit fraud in their name.
4. Insufficient Cybersecurity Investment
Despite their size, operators underinvest in security:
| Aspect | Finding |
|---|---|
| Security budget | Often < 5% of IT budget |
| Training | Staff not adequately trained |
| Testing | Insufficient penetration tests |
| Detection | Long delays before breach detection |
By comparison, major banks typically spend 10-15% of their IT budget on cybersecurity. Telecom operators, despite holding similarly sensitive data, treat security as a cost center rather than a core business function. The result is predictable: breaches that could have been prevented with standard security practices.
Telecom-Specific Risks
SIM swapping, targeted phishing, fraudulent debits: your telecom data opens every door.
1. SIM Swapping
With your data, a criminal can attempt to steal your phone number:
SIM Swapping Procedure:
- The criminal calls your operator
- They impersonate you (using your leaked data)
- They request a transfer to a new SIM card
- They receive your texts and calls
- They can bypass 2FA on your accounts
"SIM swapping is exploding. With the stolen data, it has become much easier."
-- Telecom fraud expert
SIM swapping is particularly devastating because your phone number is the key to your digital life. Most banks, email providers, and social media platforms use SMS-based two-factor authentication. If a criminal controls your number, they can:
- Reset your email password
- Access your bank accounts
- Take over your social media
- Intercept verification codes for any service
The leaked telecom data makes this attack far easier because the criminal can answer the operator's security questions (date of birth, address, account number, plan details) -- information they obtained from the breach itself.
2. Hyper-Targeted Phishing
With real customer data, criminals craft ultra-credible messages:
Example fraudulent SMS:
"SFR: Your invoice of 47.99 EUR dated 11/15 has an anomaly. Resolve at [link] to avoid service interruption."
With the real amount of your plan and real dates, these messages are nearly indistinguishable from legitimate operator communications. Traditional phishing advice ("look for spelling mistakes," "check if the amount is correct") becomes useless when criminals have access to your actual billing data.
3. Fraudulent Direct Debits
With your IBAN, criminals can:
- Create fraudulent SEPA direct debit mandates
- Attempt wire transfers (more difficult)
- Impersonate your banking identity
How SEPA direct debit fraud works:
- Criminal creates a shell company or uses a stolen business identity
- They register your IBAN as an authorized payer
- They submit direct debit requests through the banking system
- Money is debited from your account
- By the time you notice, the money has been moved through multiple accounts
Protection: You can contest any unauthorized direct debit within a period of 13 months under EU SEPA regulations.
4. Complete Identity Theft
By cross-referencing leaks from different sources:
| Source | Data |
|---|---|
| Free/SFR | IBAN, phone number |
| France Travail | Social security number, address |
| Viamedis | Health insurance details |
= Complete profile for identity theft.
The danger of the 2024 French data breaches is not any single incident in isolation -- it's the cumulative effect. A criminal who purchases data from multiple breaches can assemble a complete dossier on millions of French citizens: name, address, phone, email, IBAN, social security number, health insurance details, and employer information. This is enough to impersonate someone convincingly for virtually any purpose.
How to Protect Yourself
Bank alerts, payment monitoring, SIM protection: your immediate action plan.
Immediate Actions
1. Check if you are affected
- Contact your operator directly
- Check for notification emails (beware of phishing)
- Monitor your bank statements for unusual direct debits
2. Alert your bank
- Inform them about the IBAN leak
- Request enhanced monitoring on your account
- Activate SMS alerts for all transactions
- Consider setting up a whitelist of authorized direct debits
3. Monitor your direct debits
- Check your bank statements regularly (weekly at minimum)
- Contest any unknown direct debit immediately
- Keep all evidence and correspondence
- Screenshot any suspicious transactions
Operator Account Protection
4. Strengthen your account security
- Set a unique, strong password (at least 16 characters)
- Enable two-factor authentication if available
- Verify your contact information is correct
- Remove unnecessary personal details from your account
5. SIM Swapping Protection
- Add a voice password if your operator offers it
- Limit personal information on social media
- Be vigilant against social engineering attempts
- Ask your operator about additional SIM lock options
- Consider using an authenticator app instead of SMS for 2FA
Long-Term Measures
| Action | Priority |
|---|---|
| Password manager | Immediate |
| Bank transaction alerts | Immediate |
| 2FA on all accounts | Immediate |
| Review authorized direct debits | Important |
| Regular credit monitoring | Recommended |
| Freeze unused credit lines | Recommended |
Use a password manager: After a data breach, criminals will try your leaked email/password combinations on other services. A password manager ensures every account has a unique password, so a breach at one service does not compromise all your other accounts.
Enable 2FA everywhere -- but prefer authenticator apps (like Authy, Google Authenticator, or a hardware key) over SMS-based 2FA. If your phone number is compromised through SIM swapping, SMS-based 2FA becomes useless.
Complete guide: How to Protect Your Personal Data
Your Rights and Recourse
13 months to contest, class actions underway: your recourse against operators.
Banking Contestation Rights
For unauthorized direct debits:
- 8-week deadline for authorized but disputed direct debits
- 13-month deadline for unauthorized direct debits
Procedure:
- Contest in writing with your bank
- The bank must reimburse immediately (within 10 business days)
- The bank can then investigate
- If the bank refuses, escalate to the banking mediator
Under EU SEPA regulations, consumers have strong protections against unauthorized direct debits. Your bank cannot refuse to reimburse an unauthorized debit within the 13-month window -- this is a legal obligation, not a courtesy.
GDPR Obligations
Operators have strict obligations under the EU General Data Protection Regulation:
- Notification: Must inform affected individuals within 72 hours
- Security: Must implement appropriate security measures
- Accountability: Must demonstrate compliance
- Right to compensation: Victims can claim damages for material or moral harm
The CNIL (Commission Nationale de l'Informatique et des Libertes) can impose fines of up to 4% of annual global turnover for GDPR violations. For an operator like Free or SFR, this could mean hundreds of millions of euros.
Class Actions in Preparation
Several class actions are being prepared against:
- Free: For the massive IBAN leak affecting 19 million customers
- SFR: For the breach exposing 1.4 million customers' banking data
- Other affected companies
You can join these class actions if you are an affected customer. Organizations like UFC-Que Choisir and various consumer protection associations are coordinating these legal efforts.
How to join:
- Document that you were a customer at the time of the breach
- Save any notification emails from your operator
- Document any damages (fraudulent debits, time spent, stress)
- Register with the consumer association leading the action
FAQ
Has my IBAN actually been leaked?
If you were a Free or SFR customer with automatic direct debit payments at the time of the 2024 breaches, it is likely. Contact your operator for confirmation and monitor your bank statements closely.
What can someone do with a stolen IBAN?
Fraudulent direct debits can be attempted through fake SEPA mandates. However, you are protected: you can contest any unauthorized direct debit within 13 months at your bank. The bank is legally required to reimburse you.
Should I change banks?
It is not strictly necessary -- your IBAN will follow you to a new account anyway if you transfer your direct debits. Instead, focus on monitoring your current account, setting up alerts, and working with your bank to flag suspicious activity.
Will my operator compensate me?
Not automatically. However, the GDPR provides a right to compensation if you suffer damages. Class actions are currently being organized against Free and SFR. Even without a class action, you can file an individual claim.
Can I refuse automatic direct debit payments?
Yes, you can switch to card payment or bank transfer for your telecom bills. This avoids sharing your IBAN, but be careful about forgetting payments. Some operators may charge a fee for non-direct-debit payment methods.
Does SIM swapping affect me?
If your data was leaked in any of these breaches, your risk of SIM swapping increases significantly. Strengthen your operator account security, set up additional verification steps, and be suspicious of any calls asking you to confirm personal information -- even if the caller claims to be from your operator.
Conclusion: Operators Failing to Protect
The 2024 telecom data breaches reveal a collective failure in customer data protection by France's major operators.
Key takeaways:
- Millions of IBANs exposed for the first time in French history
- SFR and Free were the most severely affected
- The risks are real: fraudulent direct debits, SIM swapping, identity theft
- You are protected by law (13-month contestation period for unauthorized debits)
- Vigilance is your best defense -- monitor your accounts and act quickly
These incidents add to the other massive leaks of 2024 (France Travail, Viamedis, CAF...). France has become a digital sieve when it comes to personal data protection. The combination of aging infrastructure, insufficient security investment, and massive outsourcing has created systemic vulnerabilities that affect tens of millions of citizens.
The telecom sector's failure is particularly concerning because operators hold some of the most sensitive combinations of personal data -- identity, contact details, and banking information all in one place. Until French telecom companies treat cybersecurity as a core business priority rather than an afterthought, these breaches will continue.
For the complete overview: France, the Digital Sieve.
Related Articles -- Cybersecurity & Data Protection
- Personal Data Protection France Guide
- France Travail Pole Emploi Data Breach
- Viamedis Almerys Health Insurance Hack
- Hospital Cyberattacks France Ransomware
- Linky Meter Fires Safety Issues Enedis
Sources
- Le Monde - Free Data Breach
- Numerama - SFR Hack
- ZDNet - French Operator Data Leaks
- CNIL - Your Rights After a Data Breach
- Official communications from Free and SFR
- Banque de France - SEPA direct debit regulations
- EU General Data Protection Regulation (GDPR)