Orange Belgium data breach: SIM and PUK exposed, 850K at risk

A late-July security incident at Orange Belgium exposed customer identifiers that materially raise SIM-swap and number port-out risk, even though passwords and banking data were not taken.

SIM and PUK Code Exposure: Scope of Orange Belgium’s Data Breach

Orange Belgium disclosed unauthorized access to an internal IT system containing customer names, phone numbers, SIM card identifiers (often referred to as ICCID), PUK codes, and tariff plans, affecting roughly 850,000 accounts. The operator says it contained the breach, notified authorities, and began customer outreach by SMS and email. The company emphasized that account passwords, email addresses, and financial details were not exposed. A separate July cyber incident reported by Oranges French operations was said to be unrelated.

Ransomware Actors and Exploits Behind the Orange Belgium Hack

The Warlock ransomware group posted sample data claiming responsibility and offering a larger dataset for sale; the group has been tied by researchers to exploit chains targeting Microsoft SharePoint in other campaigns. Orange Belgium, however, stated the actor behind this breach is known to the company and not linked to international groups, and it declined to provide further details pending investigation. That attribution gap matters because it will drive different containment, legal, and cross-industry intelligence-sharing actions.

Why it matters: SIM-swap and MFA exposure

Exposed SIM and PUK metadata can lower the barriers for social engineering against both carriers and enterprises that still rely on phone numbers for identity proofing and second-factor authentication.

How ICCID/PUK data fuels carrier fraud

Knowing a customers ICCID and PUK does not directly grant access to an account, but it strengthens impersonation attempts during SIM replacement or number port-out requests. These data points are rarely available to attackers at scale and can be used to answer knowledge-based checks at contact centers or to unlock a physically stolen SIM. Belgian security researcher Inti De Ceukelaire criticized early mitigations that focused on extra secret questions for in-store swaps but did not address cross-operator number transfers. That gap is important: fraudsters often bypass the originating carrier by initiating a port to another provider with looser controls.

Impact on MFA, messaging, and payments

SIM-swap attacks enable interception of SMS one-time passwords used by banks, cloud apps, and consumer services, as well as re-registration of messaging apps bound to phone numbers. This creates account takeover pathways even for enterprises with MFAif SMS or voice is still in the fallback chain. Guidance from security standards bodies has long urged moving away from phone-number-based factors toward phishing-resistant methods.

The shifting telecom security landscape

For telcos, this incident underscores a broader shift in attacker focus to identity-rich systems and BSS/CRM environments that fuel high-value fraud.

Ransomware focus on identity data and portals

Operators are being probed via public-facing collaboration platforms, VPNs, and service portals, with exfiltration of subscriber metadata a frequent objective. Data that seems non-financial can be monetized through SIM swaps, targeted phishing, and business email compromise. Attacks exploiting enterprise software vulnerabilities have been a recurring entry point, with follow-on lateral movement into customer data repositories.

GDPR/NIS2 impacts and customer trust

European telcos sit under GDPR and the expanded obligations of NIS2, which tighten incident reporting, risk management, and supply chain controls. Beyond potential penalties, major enterprise customers will expect concrete improvements in SIM-swap prevention, identity proofing, and data vaulting, along with transparent communications on risk and remediation timelines.

Immediate actions for telecom operators

Reducing end-user risk and restoring trust requires both immediate controls on subscriber operations and deeper hardening of identity systems.

Strengthen SIM-swap and port-out defenses

Move away from knowledge-based authentication. Require high-assurance, out-of-band confirmation for SIM changes and portssuch as in-app confirmations tied to a previously registered device, verified email, or national eID where available. Offer a customer-enabled no-port/no-SIM-change lock with in-person or high-assurance digital override only. Implement cooling-off periods for SIM replacements and ports, and monitor swap/port velocity and anomalies. Coordinate cross-operator port-out protections via GSMA Fraud and Security Group best practices and local number portability authorities. For impacted subscribers, provide a clear path to rotate PUKs and ICCIDs by issuing new SIMs/eSIM profiles at no cost.

Protect ICCID/PUK: vault, encrypt, minimize

Treat ICCID and PUK like secrets. Vault and encrypt them with hardware-backed key management, segregate access from general CRM users, and tokenize where feasible. Apply least-privilege and just-in-time access for customer service agents. Instrument DLP and egress controls to detect unusual access and large reads of identity fields. Align logging and telemetry to quickly trace data access during investigations.

Close entry points and improve resilience

Rapidly patch and harden internet-facing collaboration platforms and portals; review known exploit chains associated with recent telecom incidents. Enforce multi-factor authentication for admin access, implement microsegmentation, and deploy EDR/XDR with threat hunting focused on data discovery behaviors. Maintain tested, immutable backups and practice tabletop exercises that include subscriber data exfiltration and coordinated fraud response.

Clear, coordinated breach communications

Avoid minimizing language. Publish concrete steps customers can take (e.g., enabling no-port locks, updating MFA) and provide guidance for rotating SIM credentials. Coordinate with national CSIRTs and the GSMA T-ISAC to share indicators and fraud patterns, and keep enterprise customers informed with technical advisories suitable for their security teams.

What Users and Enterprises Must Do After the Orange Belgium Data Breach

Organizations and individuals reliant on phone-number-based authentication should assume elevated risk and adjust controls accordingly.

Move off phone-number-based authentication

Prioritize phishing-resistant authentication like FIDO2/WebAuthn security keys or platform authenticators. Remove SMS/voice as an MFA fallback for admin and high-risk accounts. Use app-based TOTP or push with number matching as an interim step, and review account recovery flows to ensure they do not revert to phone numbers.

Detect and respond to SIM swaps faster

Enable carrier account PINs and request a no-port lock where available. Monitor for loss of cellular service, unexpected SMS floods, or carrier change notifications. Turn on high-sensitivity alerts for banking and cloud accounts, and verify any requests to re-enroll messaging apps tied to phone numbers. For corporate fleets, monitor device enrollments and MDM compliance following suspected swaps.

What’s Next: Threat Attribution, Regulatory Moves, and Industry Reaction

Key indicators in the coming weeks will shape risk posture and industry response.

Clarity on vector, actor, and exploits

Expect more detail on the intrusion vector and actor. If public exploits or third-party software issues are confirmed, operators should align patching and detection guidance quickly. Monitor for wider data leakage or targeted fraud using the exposed fields.

Industry controls and regulatory moves

Watch for strengthened cross-operator port-out controls, updated GSMA guidance on SIM-swap mitigation, and regulator expectations under NIS2. Banks and cloud providers may further deprecate SMS-based MFA, accelerating the shift to phishing-resistant authentication across ecosystems.