French telecommunications company Bouygues SA must pay a 250,000-euro fine for failing to protect the data of about 2 million customers of its commitment-free wireless program.

French privacy regulator CNIL launched a probe in March 2018 after receiving a tip that contracts and invoices of Bouygues’ "B&You” data subscribers could be easily accessed online. The security vulnerability remained open for over two years.

CNIL, in announcing the fine Dec. 27, said Bouygues corrected the data security faults for B&You customers. Bouygues cooperation and prompt breach notification helped limit the security risk, CNIL said, helping the company evade a maximum penalty...