Read also: MFA missing - 24 million subscribers leaked, €42M fine
When the CNIL investigated the Free breach, they not only found a lack of MFA. They also found that the company stored personal data about previous customers longer than necessary. IBAN numbers, addresses, and contact information — for customers who had cancelled long ago.
The result—when the attacker got in, it wasn't only active customers who were affected. People who thought they were done with the company also had their data leaked.
If Free had deleted data about former customers in a timely manner, the scale of the breach would have been far smaller.
What does this mean to you?
Review your customer registry. Do you have data on customers who have not been active for one, two, or three years? Do you need it? If not — delete it.
Inspired by: CNIL