Orange Belgium has confirmed a substantial data breach after a cyberattack targeted one of its internal IT systems, exposing personal and SIM-related information for roughly 850,000 customers. The company says the intrusion was discovered in late July and that it moved to cut access to the affected system once the incident was identified. Orange reported that no financial data or account passwords were compromised in the incident.
According to Orange’s public statement, the unauthorized access was detected in late July. Company teams acted to block access to the compromised IT system as part of an immediate containment step. Following the discovery, Orange notified relevant authorities and filed a formal complaint with the judiciary to trigger a legal investigation into the incident. The exact method the attackers used to penetrate the internal system has not been disclosed in Orange’s notice.
Data Types Exposed
Orange’s breach notice lists the categories of data that attackers accessed, which the company says differ by customer. The exposed information includes:
- Customer names and phone numbers
- SIM card details and related identifiers
- Tariff plans associated with affected lines
- PUK (personal unblocking key) codes
Orange explicitly stated that financial details and passwords were not compromised. The presence of SIM details and PUK codes is notable because those items can be sensitive in the telecom context and are routinely cited in industry reporting as valuable to threat actors seeking to target mobile accounts.
Orange says it blocked access to the impacted system and alerted law enforcement and data protection authorities. The telecommunications provider also filed a formal complaint with judicial authorities, a step that typically seeks criminal investigation and potential takedown of the threat actor’s infrastructure. In its communications, Orange emphasized notification to affected individuals and engagement with authorities rather than publishing technical details about the attacker’s route into the environment.
Customer Notification And Communication
Orange Belgium confirmed it is notifying all affected customers by email or SMS. The company’s communications to customers include a warning to remain vigilant for phishing attempts and identity fraud, language commonly used in breach notifications. Orange further recommended that users strengthen account security with strong and unique passwords and exercise caution with suspicious links and messages. These advisories were included in Orange’s notice to impacted subscribers.
Historical Context: Third Incident in 2025
The company noted that this marks the third cyber incident involving Orange in 2025, with earlier incidents varying in scope and impact. Orange did not provide detailed comparisons between this event and prior incidents in the year. The recurrence of incidents in the same year is part of broader sector reporting that shows telecom operators remain frequent targets for cybercriminal activity, given the high-value data they hold and their central role in consumer communications.
Why SIM and PUK Data Matter in Telecom Breaches
SIM card identifiers and PUK codes are specific to mobile account management and, when exposed, can be abused in downstream attacks on subscribers. Although Orange said financial and password data were not taken, the combination of phone numbers, SIM details, and tariff plans can be used by malicious actors to craft highly targeted social-engineering campaigns. PUK codes, which unlock SIMs after multiple incorrect PIN entries, are operational details that attackers could attempt to misuse in account takeover workflows reported in other telecom breach cases.
Orange has lodged a complaint with the judicial authorities and stated that it has informed affected users. Beyond those facts, the firm has not released a technical postmortem or a timeline that details how the attackers entered the internal system, whether any lateral movement occurred, or the forensic evidence collected. Investigations by law enforcement and any appointed forensic teams may reveal further specifics about the intrusion method, the actors involved, and whether data exfiltration extended beyond the categories Orange disclosed.
Impacted Customers And Next Steps Announced By Orange
In its notification, Orange asked affected customers to be alert to suspicious communications that may attempt to leverage exposed details. The company reiterated that no payment card data or passwords were part of the exposed dataset. Orange has not announced any compensatory measures such as credit monitoring or identity protection services in its public notice; its stated actions focused on containment, notification, and legal recourse.
Sector Implications And Observations From the Incident
This breach highlights two recurring themes in telecom-sector incidents: the sensitivity of SIM-related metadata and the operational challenge of protecting large internal IT systems that handle subscriber records. While Orange’s notice confirms the absence of financial data, the reach of the exposed fields — names, numbers, SIM metadata, tariff plans, and PUK codes — can still enable targeted fraud or social engineering against subscribers. The filing of a formal complaint suggests Orange is seeking criminal investigation, which may include working with national cybercrime units and regulatory bodies to pursue remediation and potential sanctions depending on the investigative outcome.
