Data protection rights of individuals whose personal data has been stolen in a cyberattack shall prevail over the hacker's privacy rights

France's second-largest internet service provider Free was victim of a cyberattack in October 2024, which affected more than 19 million data subjects. For 5 million of them, banking data was compromised. The hacker tried to obtain a ransom for the stolen database, by sending a message to Free through Telegram messenger. 

Following that attack, Free requested access to elements identifying the sender of the ransom message. 

In a decision dated from 12 January 2024 , a French Paris Court ordered Telegram to provide Free with all the identification data of the sender, under article 145 of the French Civil Procedural Code. 

The Court considered that Free had a legitimate interest to obtain such data, as a criminal trial might arise, following the filing of a complaint by Free. Furthermore, the Court noted that this request was legally admissible, as operators of electronic communication have a duty to keep for five years information regarding the civil identity of the user for the sake of criminal proceedings. 

The Court ruled that the request for accessing personal data of the sender was proportionate and that the privacy rights of the Free data subjects whose data had been stolen shall prevail over the presumed hacker's rights to privacy. 

Authors: Nicolas Quoy (Partner), Antoine Boullet (Senior Associate)