Leak of customer data at Free: is a company at risk of prosecution after a cyberattack?

A few days ago, the operator and Internet service provider Free informed its customers that it was the victim of a cyberattack (new window). This led to a leak of personal data, which was immediately put up for sale by cybercriminals. In total, no less than 19 million accounts would be affected (new window)with the names, first names, addresses and even telephone numbers of stolen subscribers. Some 5 million IBANs have also been stolen, raising fears of an increase in attempted banking scams.

Free customers affected by a possible fraud attempt will be able to make a report or file a complaint via an online form accessible on the website cybermalveillance.gouv.fr (new window). A way to add their statements to the investigation without requiring a trip to a police station or gendarmerie.

However, can they then turn against the operator? If online, voices are raised (new window) to claim “pursuits” against Free and even its director Xavier Niel, for this to happen, a fault on the part of the company would have to be demonstrated in the security of data and its IT systems.

An obligation of means, but not results

On Free's side, we consider ourselves, above all, victims. The company, targeted by a cyberattack, has also announced that it has filed a criminal complaint following the data leak that occurred in recent days. Can it at the same time be the subject of prosecution, and by extension any other firm that finds itself in a similar situation? To find out, TF1info contacted Suzanne Vergnolle, doctor of law and lecturer in digital law at Cnam.

When an individual suffers a burglary and his door is forced, it is not him who is prosecuted on the grounds that he should have reinforced access to his home with shielding. In the case of companies, however, the situation is not identical, says the specialist: “If you make the analogy with a burglary, the whole issue will be whether the door was closed, whether it had been properly locked, but also whether a gold bar was left on the doorstep right in front of the door. entrance”. Regarding the personal data of customers, it is a “so-called obligation of means” which prevails. Clearly, a company must do what is necessary to protect itself as best as possible from the risks it could face.

• Read also

  Data theft at Free: customers' personal information (already) sold, announces the hacker

• Read also

  Massive data leak at Free: how to react if you are affected?

Free, like any other company storing customer data, however, has no obligation to achieve results. “The law does not require avoiding all cyberattacks”continues Suzanne Vergnolle, but the challenge will be to establish whether “the company did everything possible to avoid the violation it suffered”. The first series of questions to be answered will then be as follows: “Was this potentially preventable with better database security? Was there human error?”

To rule on these points, an institution like the National Commission for Information Technology and Liberties (Cnil) is on the front line. Quickly notified by Free, as required by law in such cases, it can carry out an investigation and establish – if necessary – sanctions. Generally speaking, “the more sensitive the data, the higher the expected data security standard will be”summarizes the Cnam expert. If security flaws are discovered, sanctions are expected: a fine of up to 10 million euros. An even steeper addition cannot be ruled out: the CNIL can in fact impose a penalty, the amount of which is calculated based on the company's global annual turnover. Up to 2% maximum of the total, which can represent considerable amounts in the case of multinationals or companies that generate major profits.

Cases that rarely end up in court

In parallel with the procedures initiated by the CNIL, actions can also be taken before the courts. While an investigation is underway in the context of the cyberattack targeting Free, entrusted (new window) to the cybercrime brigade (BL2C) of the Paris police headquarters, customers could turn against the operator. Here again, the challenge would be to highlight flaws in the way in which personal data had been secured. “There are sometimes situations where you do your best, while you stare in the face of bad actors who turn out to be very good.”cybersecurity expert Baptiste Robert tells TF1info. “It’s not necessarily that we did badly, but just that the one opposite was better.”

With a complaint being filed, we switch to the judicial system, notes Suzanne Vergnolle. “Individuals can act on the basis of civil liability: from the moment a person commits a fault, it is up to them to assume all the harm that results from it and to repair the consequences”. The doctor of law, however, observes that it is very rare for such cases, common for the CNIL, to be brought before the courts. This is explained by the fact that “legal litigation is expensive and takes a lot of time”but also by the small sums that could be expected by the plaintiffs. Generally, “we are not facing significant amounts in terms of reparations.”

Finally, it should be noted that if a data leak concerns a public administration and not a private company, the procedures are generally similar. With a few details: first of all, the CNIL will not be able to impose financial sanctions, contenting itself – in the event of negligence – with calls to order or requests for compliance. Then, on the part of individuals, legal actions will remain possible, but in this situation they will have to be brought before administrative courts.

Do you want to ask us questions or submit information that you do not believe is reliable? Do not hesitate to write to us at [email protected]. Find us also on X: our team is present there behind the account @verif_TF1LCI.