European Telecom Security Under Scrutiny After Orange Belgium Hack

Leaked SIM and PUK data heighten SIM-swapping risks as critics fault Orange’s response; company says no passwords, emails or banking data were taken.

Orange Belgium disclosed that a cyberattack in late July exposed personal data tied to about 850,000 customer accounts, including SIM card numbers and PUK codes—information that could aid SIM-swapping fraud. The carrier notified authorities and customers, tightened security, and stressed that no passwords, emails or financial data were compromised.

BRUSSELS — Orange Belgium said a July cyberattack compromised data for roughly 850,000 customer accounts, including SIM and PUK information, prompting warnings from security experts about elevated SIM-swapping risks across the country.

Orange Belgium detected the intrusion at the end of July, blocked access to the affected system, informed authorities, and filed an official complaint with judicial authorities. Exposed fields include name, phone number, SIM card number, PUK code and tariff plan. Orange emphasized that passwords, email addresses, and financial data were not accessed.

The operator said some services could be affected while it responds to the incident, but did not disclose the specific attack method. The disclosure follows a July cyber incident at Orange Group and a broader wave of attacks on European telecoms.

Security researchers warned that leaking SIM identifiers and PUK codes can facilitate social-engineering and account-takeover attempts. In a widely shared post, Inti De Ceukelaire, chief hacker at bug-bounty platform Intigriti, called Orange’s response “very disappointing,” accusing the company of following “the same old corporate PR playbook” that shifts risk to customers.

• Orange Belgium (statement): “At the end of July, Orange Belgium detected a cyberattack… resulting in unauthorized access to certain data from 850,000 customer accounts.”
• Inti De Ceukelaire (Intigriti): Orange’s handling was “very disappointing,” following “the same old corporate PR playbook,” and downplaying SIM-swapping and number-theft risks.
• Europol (on SIM-swap method): SIM-swap fraud occurs when criminals “dupe the victim’s mobile phone operator into porting the victim’s mobile number to a SIM” they control.
• “Leaking SIM and PUK data materially raises account-takeover risk. Carriers should enable port-out freezes by default, and customers should move off SMS codes to app-based or hardware-key MFA immediately.” — El Mostafa Ouchen, cybersecurity author & educator

What likely happened:
Orange has not disclosed the intrusion vector. Given the data types exposed (customer identifiers and SIM/PUK data), plausible avenues include compromise of a customer-care or provisioning system, exposed credentials to an internal CRM/API, or a third-party vendor with access to SIM management data. No evidence has been provided of ransomware or data-destroying activity. (Orange says it knows which system was accessed but has not named the attacker.)

Why SIM/PUK exposure matters:

• SIM number + PUK can support social-engineering against carriers, easing fraudulent number transfers or PIN resets. Once a number is taken over, attackers intercept SMS codes for banking and email resets.
• Europol has documented substantial losses from SIM-swap operations, which typically begin with identity data and end with account takeovers.

Mitigations (carrier & customer):

• Carrier: Enforce strict port-out verification; flag high-risk accounts; rate-limit SIM profile changes; require in-app or out-of-band confirmations; monitor for abnormal SIM-swap velocity.
• Customer: Add a SIM/account PIN and enable “number transfer protection”; switch from SMS to app-based or FIDO2 security keys; monitor bank/email for unusual activity; consider requesting a new SIM from the carrier.

Impact & Response

Who’s affected: Approximately 850,000 Orange Belgium customer accounts. Orange is notifying customers by SMS/email and coordinating with Belgian authorities.

Immediate actions: Isolation of the affected system, tightened security controls, customer communications, and law-enforcement engagement. The company cautioned potential service impacts during remediation.

Long-term implications:
Telecom data stores—especially SIM provisioning environments—remain attractive targets. Similar incidents across Europe and at Orange affiliates this year point to persistent attacker focus on telco identity footholds.

The disclosure comes amid repeated attacks on European telecoms and follows Orange Group’s separate July incident. Independent outlets and researchers this week echoed warnings that SIM-swapping risk rises when SIM/PUK data is exposed, even if passwords or bank details were not taken.

The Orange Belgium breach underscores a growing telecom security challenge: safeguarding identity-critical metadata that can unlock downstream fraud. Carriers will face pressure to harden SIM-management workflows, while consumers should immediately upgrade their authentication practices and request stronger port-out protections.

Source: Politico Europe — “Almost 1 million Belgian users hit in Orange cyberattack.”

Orange Belgium — Company statement/notices on July cyber incident and affected data fields.

Europol — Public guidance explaining SIM-swap fraud tactics and risks.