Orange Belgium has suffered a major data breach in which an attacker accessed the personal information of approximately 850,000 customers, with SIM card numbers and Personal Unblocking Key (PUK) codes among the most sensitive details exposed.
The breach, disclosed in a press release dated August 20, 2025, immediately raised concerns about the increased risk of SIM swapping—a fraud technique in which criminals gain control of a victim’s phone number by transferring it to a SIM card under their control. This enables them to intercept calls and messages, including those containing one-time passcodes for multi-factor authentication, potentially bypassing account security measures.
The compromised data included customer first and last names, phone numbers, SIM card numbers, PUK codes, and tariff plan details. The company stressed that no passwords, email addresses, or banking and financial information were accessed.
Upon detecting the intrusion in late July, Orange Belgium claims it promptly blocked access to the affected system, tightened security, and notified law enforcement. Affected customers are being contacted directly with advice to remain vigilant against suspicious communications.
Notably, the incident coincides with a separate cyberattack against Orange’s French operations, although the company has not confirmed any link between the two events. The French incident reportedly did not result in unauthorized access to customer or corporate data.
In response to the breach, Orange Belgium introduced additional verification steps to prevent fraudulent SIM swaps, such as requiring customers to answer extra security questions when requesting SIM replacements. The answers to these questions were not compromised in the attack, according to the company.
However, white hat hacker Inti De Ceukelaire criticized this approach, arguing that these measures are unlikely to fully prevent SIM swapping, especially if attackers attempt to port numbers to other providers. He also noted that Orange Belgium has not provided guidance or support for changing PUK or SIM numbers—information that is typically considered highly sensitive by other telecom providers.
De Ceukelaire further criticized Orange’s initial communications for minimizing the seriousness of the breach, particularly in labeling the exposed PUK and SIM card numbers as “not critical.” He argued that this classification downplays the real-world risk to affected customers and accused Orange of misleading communications and shifting responsibility to users.
The attack on Orange Belgium has been claimed by the Warlock ransomware group, which reportedly posted samples of the stolen data online and is offering the full dataset for sale. Warlock has been linked to a recent wave of attacks exploiting vulnerabilities in Microsoft SharePoint, specifically the ‘ToolShell’ exploit chain, which came to light in July 2025.
The same group has previously targeted UK telecoms provider Colt Technology Services, leveraging one of the SharePoint-related vulnerabilities. By contrast, the French Orange incident was attributed to a different group, Babuk2, suggesting the attacks are not connected.
The breach highlights ongoing vulnerabilities in telecom security—particularly the potential for SIM swapping to undermine multi-factor authentication—and underscores the importance of robust data protection and transparent incident communication.
While Orange Belgium has taken some steps to mitigate the immediate risks, critics argue that more comprehensive safeguards and clearer customer guidance are needed to adequately protect users from sophisticated attacks.