Orange Belgium, a key subsidiary of the Orange Group, confirmed on August 20, 2025, that a cyberattack discovered in late July resulted in the theft of data belonging to approximately 850,000 customers1. The breach, while separate from the recent incident affecting its parent company, represents the third significant cybersecurity event for Orange operations in 20251, 5, 7. The attackers successfully exfiltrated a specific set of customer information, though the company asserts that more sensitive data types were not accessed.
Summary for Leadership
This incident highlights a targeted attack against telecommunications infrastructure, resulting in a substantial data compromise. The stolen data set is particularly suited for facilitating secondary attacks, such as SIM swapping and sophisticated phishing campaigns, rather than direct financial fraud. Orange Belgium’s response included immediate containment and engagement with judicial authorities, though the threat actor’s identity remains officially undisclosed despite the company’s awareness1.
**TL;DR: Key Points**
* **Entity:** Orange Belgium (Orange Group subsidiary)
* **Impact:** Data of 850,000 customers exfiltrated.
* **Data Stolen:** Names, telephone numbers, SIM card numbers, PUK codes, tariff plans.
* **Data NOT Stolen:** Passwords, email addresses, financial or banking details.
* **Primary Risks:** SIM swapping attacks and targeted smishing/vishing campaigns.
* **Attribution:** Not linked to the widespread ‘Salt Typhoon’ campaign; threat actor known but not named by Orange due to an ongoing investigation.
Technical Specifics of the Breach
The breach involved the exfiltration of a well-defined dataset from Orange Belgium’s systems. According to reports from BleepingComputer and CyberNews, the stolen information includes customer surnames and first names, telephone numbers, physical SIM card numbers, associated PUK (Personal Unblocking Key) codes, and details of the customers’ tariff plans1, 3. This combination of data is highly valuable for follow-on offensive security operations. Crucially, the company confirmed that the compromise did not extend to customer passwords, email addresses, or any form of financial information or banking details1, 2, 8. This delineation suggests the attackers either had targeted access to a specific database or their lateral movement was contained before reaching more critical authentication and billing systems.
Threat Actor Context and Industry Landscape
Orange Belgium stated that this breach is not connected to the ‘Salt Typhoon’ campaign, a China-linked activity targeting global telecommunications providers1. The company further noted that it is “aware of” the group responsible but has declined to publicly name them while the judicial investigation, prompted by Orange’s official complaint, is ongoing1, 4. This incident occurs amid a wave of attacks on telecom providers that has drawn increased scrutiny from regulators in Europe and the United States8. Around a similar timeframe, the ransomware gang Warlock claimed attacks against other technology firms, including Orange and Colt Technology Services7. Warlock is known for actively exploiting Microsoft SharePoint vulnerabilities. However, a direct connection between these claims and the confirmed Orange Belgium data breach has not been established.
Analysis of Exfiltrated Data and Associated Risks
The nature of the stolen data presents clear and immediate risks. The combination of SIM numbers and their corresponding PUK codes significantly lowers the barrier for executing SIM swap fraud3. In a SIM swap attack, a threat actor social engineers a mobile carrier’s support staff to port a target’s number to a SIM card under their control. Possession of the legitimate PUK code, used to unlock a SIM after too many incorrect PIN entries, could aid in this social engineering effort or bypass PIN controls if they were already known. A successful SIM swap allows an attacker to intercept SMS-based two-factor authentication (2FA) codes, providing a pathway to compromise online banking, email, and social media accounts. Furthermore, the theft of names and telephone numbers provides ample ammunition for highly convincing smishing (SMS phishing) and vishing (voice phishing) campaigns, as these elements allow for personalized and seemingly legitimate communications4.
Criticism of the Response and Mitigation Strategies
The company’s response has not been without criticism. Inti De Ceukelaire, Chief Hacker at Intigriti, criticized Orange Belgium’s public communication on LinkedIn, characterizing it as a standard “corporate PR playbook” that downplayed the serious risks of SIM swapping4. The critique suggested that Orange’s response placed an undue burden of security on the customer rather than taking more definitive protective measures. Some security professionals argued that a more robust mitigation strategy, despite its high cost and complexity, would involve proactively issuing new SIM cards to all affected customers, thereby invalidating the stolen SIM and PUK data entirely. Orange Belgium’s actual mitigation steps included blocking access to the affected system upon discovery, strengthening overall security measures, notifying Belgian data protection authorities, and initiating a customer notification process via email and SMS1, 4, 5.
Relevance for Security Professionals
For security teams, this breach is a case study in the value of specific non-financial data. Defensive strategies should be updated to account for the threat of SIM swap-enabled account takeovers, particularly for employees in privileged roles. Organizations relying on SMS for 2FA should reassess this choice for critical systems, favoring more secure alternatives like hardware tokens or authenticator applications. Monitoring for phishing campaigns that leverage known data breaches for personalization is also crucial. The incident underscores the need for robust network segmentation and access controls to limit lateral movement, ensuring that a breach in one system does not automatically grant access to all customer data, especially authentication secrets.
Conclusion
The Orange Belgium breach demonstrates a continued focus by threat actors on the telecommunications sector. The theft of customer data, specifically SIM and PUK information, shows a strategic shift towards enabling complex identity-based attacks like SIM swapping rather than seeking direct financial gain. While Orange Belgium has taken steps to contain the incident and inform customers, the criticism from security experts highlights the challenge companies face in balancing public relations with transparent communication of technical risks. This event serves as a reminder of the evolving tactics used by threat actors and the critical need for defensive plans that extend beyond protecting traditional financial data to include all personal identifiable information that can be weaponized.
