What if… Free had been betrayed from within - S01E01?
Prologue: The Perfect Digital Crime
Marseille, Free headquarters, an ordinary Tuesday in September 2024. In the air-conditioned offices on the 7th floor, Thomas – let’s call him that – watches his screens like every morning for the past three years. A system administrator in the security team, he has access to what 19 million French people consider their best-kept secrets: their personal data.
That morning, Thomas makes a decision that will change everything. A decision that no one, not even Free’s most sophisticated surveillance systems, will see coming.
Welcome to the nightmare of every modern company: the threat from within.
Introduction
The Free attack in October 2024 left a mark: 19 million customers affected, 5 million IBANs compromised, a massive breach that shook user trust. But what if this attack was not the work of external hackers? What if the real culprit wore a Free employee badge and knew the system’s flaws perfectly?
In the world of cybersecurity, 21% of incidents in companies are caused by employees who intentionally violate security protocols. For telecoms, this threat is magnified: privileged access to critical infrastructures, centralized customer databases, and above all, blind trust in “insiders.”
Let’s dive into a scenario that chills the blood of all CIOs: the perfect betrayal.
Act 1: The Infiltration - Portrait of an Ordinary Traitor
The Perfect Profile
Thomas, 34 years old, system engineer at Free since 2021. Impeccable LinkedIn profile, glowing recommendations from former employers, a graduate of a prestigious engineering school. During his recruitment, no alarm signals: clean criminal record, verified references, brilliantly passed technical interviews.
What HR could not detect? The €45,000 in debt accumulated from a difficult divorce and risky cryptocurrency investments. What the standard security investigation did not reveal? His connections on underground dark web forums, under the pseudonym “NetGhost.”
The Privileged Access
As a level 3 system administrator, Thomas has extensive access to critical infrastructures:
- Customer database: consultation and extraction authorized for maintenance
- Billing systems: access to IBANs for incident resolution
- Connection logs: monitoring and analysis of user access
- Backup tools: management of backups and restorations
A legitimate access that, when diverted, becomes a weapon of mass destruction.
The First Flaw: Blind Trust
“Thomas? He’s our best asset on database security,” his manager would later confide. “Never a problem, always available, even on weekends. A model employee.”
This blind trust constitutes the first major flaw. No monitoring of privileged activities, no separation of critical tasks, no rotation of sensitive accesses. The principle of “least privilege”? Never applied.
🔍 Real Context: The Internal Threat at Free
- Employees in France: ~18,000 people
- Privileged accesses: ~2,000 administrator accounts
- Insider monitoring: Limited before October 2024
- Awareness training: Focused on external threats Source: Telecom sector estimates France 2024
Act 2: The Exfiltration - The Art of Stealing Without Being Seen
The Method: Invisible and Methodical
Thomas does not proceed like a noisy, rushed external hacker. His method is that of a surgeon: precise, discreet, spread over time.
Phase 1: Reconnaissance (May-June 2024)
- Mapping of internal surveillance systems
- Identification of low supervision slots (weekends, holidays)
- Testing “legitimate” SQL queries on small data samples
Phase 2: Gradual Extraction (July-September 2024)
- Split queries to avoid volumetric alerts
- Use of legitimate export tools for maintenance
- Encryption of exfiltrated data with his own keys
- Temporary storage on “forgotten” development servers
Phase 3: Camouflage (September 2024)
- Falsification of access logs via his administrator privileges
- Selective deletion of traces of suspicious activity
- Creation of false retroactive technical justifications
The Targeted Data: A War Treasure
Thomas does not steal randomly. His selection is strategic:
- Premium customer data: Freebox subscribers with high incomes
- Active IBANs: Bank accounts with recent withdrawals
- Complete personal information: Names, addresses, phones, emails
- Geolocation data: Mobile connection histories
Estimated total volume: 1.2 terabytes of pure data, representing the information of 19.3 million customers.
The Fatal Mistake: The Lure of Gain
In September 2024, Thomas contacts “DrussellX,” a data broker on the dark web. Negotiations start at €50,000 for the complete lot. But Thomas’s impatience leads him to request a deposit via a traceable Bitcoin wallet.
This transaction will be his downfall.
📊 Anatomy of an Internal Data Theft
Act 3: The Discovery - When Reality Catches Up with Crime
The Alarm Signal
October 17, 2024, 2:23 PM. Free’s cybersecurity team receives a report from ANSSI: Free customer data is circulating on underground forums. The content? Too precise, too recent, too well-structured to come from an external hack.
Sarah, head of the SOC (Security Operations Center), immediately launches an investigation. The first elements are troubling:
- No trace of external intrusion in the security logs
- No network anomaly on incoming flows
- Data extracted cleanly, without typical corruption from automated attacks
The Internal Investigation: Following the Money
The investigation takes a decisive turn when the team decides to trace the financial trail. Analysis of the seller’s Bitcoin transactions, cross-referencing with HR data, monitoring the bank accounts of employees with access to the compromised data.
October 21, 9:15 AM: Thomas’s name appears in the cross-references. A suspicious deposit of €15,000 into his personal account on October 18, coming from a cryptocurrency exchange.
The Confrontation
October 22, 8:30 AM, “Provence” meeting room. Thomas is summoned by HR and the legal department. Faced with the accumulated evidence, he eventually confesses.
“I was backed into a financial corner. I thought that with all this data already circulating on the dark web, a few more wouldn’t matter…”
A pathetic justification for a crime with dramatic consequences.
🔍 Comparative real case: SFR - The Malicious Insider (2024)
- Incident: Partner employee compromises the SIBO360 tool
- Stolen data: 50,000 customer files with banking details
- Method: Legitimate access diverted on management tool
- Detection: Data published on Telegram
- Consequences: Reevaluation of partner accesses Source: Cybersecurity incident reports telecom sector 2024
Epilogue: The Scars of Betrayal
The Shockwave
The revelation of this internal betrayal shakes the entire Free organization. Beyond the 19 million affected customers, it is the trust in the system that collapses. How can one trust their employees when one of them turns out to be the worst enemy?
The reaction is immediate and drastic:
- End of remote work for all call center employees
- Complete audit of privileged accesses
- Implementation of a strengthened DLP (Data Loss Prevention)
- Behavioral monitoring of all administrator accounts
The Human and Financial Cost
The consequences go far beyond the technical framework:
- CNIL sanctions: Estimated fine between €50 and €100 million
- Legal actions: Hundreds of customer complaints ongoing
- Remediation cost: Replacement of 5 million bank cards
- Image impact: 15% drop in new subscriptions
- Human cost: Layoffs, restructuring, climate of distrust
The Lessons from a Forewarned Tragedy
This fictional story – but unfortunately plausible – reveals the gaping flaws in the internal security of French telecoms:
- Chronic over-privileges: Too many employees have access to too much data
- Insufficient monitoring: Monitoring tools focus on external threats
- Culture of blind trust: No verification of legitimate activities
- Inadequate training: Awareness focused solely on external threats
Keys to Prevent Betrayal
🛠️ Technical Solutions Against Insiders
✅ Internal Threat Protection Plan
Prevention (preventive measures):
- Strict least privilege policy
- Separation of critical tasks
- Thorough and renewed security investigations
- Specific training on internal threats
Detection (continuous monitoring):
- Behavioral analysis of privileged users
- Real-time monitoring of access to sensitive data
- Automatic alerts on extraction volumes
- Correlation of system/HR/financial logs
Reaction (incident response):
- Dedicated internal investigation procedure
- Pre-established cooperation with judicial authorities
- Crisis communication plan
- Emergency access revocation process
⚠️ At-Risk Profiles - HR Alert Signals
Behavioral indicators:
- Recent personal financial difficulties
- Sudden change in attitude or performance
- Accessing data outside normal hours
- Sudden interest in out-of-scope systems
- Contacts with competitors or former companies
Technical indicators:
- Unusual queries on databases
- Use of personal encryption tools
- Massive downloads to external media
- Disabling logs or monitoring tools
- Creation of unauthorized accounts or accesses
Conclusion: Trust Does Not Exclude Control
The story of Thomas – fictional but terrifyingly realistic – reminds us of a disturbing truth: our worst enemies sometimes wear our colors. In a world where companies invest millions to protect themselves from external hackers, the most insidious threat often comes from within.
Free, SFR, Orange: all French telecom operators are vulnerable to this scenario. With millions of centralized customer data and over-privileged employees, they are prime targets for internal threats.
The solution is not widespread distrust, but intelligent monitoring. “Trust but verify”: trusting your teams while ensuring that this trust is deserved. Because in the digital realm, a single betrayal can annihilate decades of building.
The next time you receive an email informing you of a “cyberattack,” ask yourself: what if the attacker simply had an employee badge?
Executive Summary
What if the massive data breach at Free in October 2024 was not the work of external hackers, but of a malicious employee? This fictional yet plausible scenario explores how Thomas, an indebted system administrator, could have exploited his privileged access to steal 19 million customer data and sell it on the dark web. Over four months, he methodically exfiltrates terabytes of personal data and IBANs, exploiting his employer’s blind trust and the absence of monitoring for internal threats. His downfall: a traceable Bitcoin transaction. This story reveals the gaping flaws of telecoms in the face of insider threats: over-privileges, insufficient monitoring, excessive trust culture. With 21% of cyber incidents caused by malicious employees in France, technical (UEBA, PAM, DLP) and organizational solutions become vital to prevent these modern betrayals.