Cyberattack hits France’s third-largest mobile operator, millions of customers affected

Bouygues Telecom, one of France’s largest telecom companies and its third-largest mobile operator, announced on Wednesday being hit by a cyberattack that compromised the data of millions of customers.

The nature of the attack was not disclosed, and the company said the “situation was resolved as quickly as possible” by its technical teams, and that “all necessary measures were put in place.”

According to its corporate statement, the attack “allowed unauthorized access to certain personal data from 6.4 million customer accounts.”

Bouygues reported having 18.3 million mobile customers in its annual results for 2024, as well as 4.2 million fiber-to-the-home customers. It is not clear from the announcement which customer segment was affected.

The company stated those who were impacted “have received or will receive an email or text message to inform them, and our teams remain fully mobilized to support them.”

A report regarding the data breach has been filed with France’s data protection regulator, the CNIL, and a complaint has been submitted to France’s judicial authorities.

It follows another attack last week affecting Orange, the country’s largest telecoms provider, although Orange did not disclose any breach of customer data. There have been no subsequent reported impacts on Orange customers, either in the retail or enterprise spaces.

The French cybersecurity agency ANSSI warned about state-sponsored threats targeting the country’s telecommunications sector for espionage in its annual review, confirming there had been multiple compromises in recent years.

Major incidents described in the ANSSI report include a suspected state-sponsored threat actor compromising a mobile network core as well as intrusions into satellite communications infrastructure.

The agency said its investigation into the core network incident confirmed that the attackers intended to intercept the communications of specific targets.

Although ANSSI did not attribute the attack to a threat cluster tracked by Western agencies, the interception of correspondence from targeted individuals was also seen and publicly avowed in Salt Typhoon breaches in the United States.