A threat actor has compromised 850,000 Orange Belgium customer accounts, with SIM card numbers and Personal Unblocking Key (PUK) codes among the data potentially accessed.
The attack has raised fears of SIM swapping attacks targeting those affected.
SIM swapping occurs when a victim’s phone number is transferred to a cybercriminals own SIM card.
This enables fraudsters to intercept calls and messages intended for the victim, including those containing one-time passcodes used for multi-factor authentication (MFA).
The PUK code is an eight-digit security code that can be used to unlock a SIM card if an incorrect PIN is entered several times.
Orange’s Belgium subsidiary revealed the incident in a press release published on August 20. It said a threat actor gained access to an IT system containing customer first names, surname, telephone numbers, SIM card numbers, PUK codes and tariff plans.
“As soon as the incident was discovered, our teams blocked access to the affected system and tightened our security measures. Orange Belgium has also alerted the competent authorities and filed an official complaint with the judicial authorities,” the firm wrote in a press release published on August 20.
“The customers concerned have been or will be informed by e-mail and/or text message. We advise them to remain vigilant for suspicious communication,” Orange Belgium added.
No passwords, email addresses or banking and financial data were accessed in the attack.
The intrusion was detected in late July, the telecoms firm noted. This is around the same time that Orange reported a cyber-attack affecting its French operations, although it said that no corporate or customer data was accessed in this incident.
Orange Belgium did not confirm whether the two incidents were related in response to an email enquiry from Infosecurity.
Orange’s Response to SIM Swapping Threat Under Scrutiny
In an attempt to allay concerns over the data breach, Orange Belgium published a separate customer information webpage which outlined extra security measures it had implemented following the incident.
This includes implementing additional verification controls to prevent an attacker requesting replacement of customer SIM cards. Orange Belgium said its phone support team will ask extra secret questions if any such request is made. The answers to these questions are not included in the personal data accessed by the hackers.
In a series of LinkedIn posts on August 20, Orange Belgium customer and white hat hacker at bug bounty firm Intigriti, Inti De Ceukelaire, said the company’s new measures do nothing to address the threat of SIM swapping.
“Orange has tweaked their FAQ to dismiss SIM swapping concerns because they are now also asking ‘secret questions’ and still do ID verification for physical swaps. How these additional measures prevent attackers from transferring the number to a different providers is not addressed. Still no efforts or guidance on how to change PUK and SIM number which all other providers seem to consider as very sensitive info,” he wrote.
De Ceukelaire also criticized Orange Belgium’s initial communication about the incident more generally in a later blog post. In particular, he condemned the company’s use of language that downplayed the seriousness of the data breach.
This includes the statement that “no critical data” was compromised.
“In this case, phone numbers, PUK and SIM card numbers (that could come in handy during SIM swapping attacks) are not defined as critical despite being extremely rare for hackers to get their hands on,” he noted.
He also accused the company of “deception” in its communications and “deflecting responsibility onto their customers.”
Warlock Claims Latest Orange Cyber-Attack
The attack on Orange Belgium has been claimed by the Warlock ransomware group. The ransomware group monitoring platform Ransomware.live revealed the actor has posted a sample of data it purportedly stole from the company on its data leak site.
The Warlock group has stated that the full dataset is available for sale.
Warlock ransomware has been deployed extensively by attackers exploiting the Microsoft SharePoint ‘ToolShell’ chained vulnerability, first disclosed in July 2025.
The Warlock operator recently claimed credit for an attack on UK-based telecoms provider Colt Technology Services, which security researchers believe originated from exploitation of CVE-2025-53770, one of the two vulnerabilities involved in the ToolShell exploit chain.
The attack previously disclosed by Orange on its French operations was claimed by the threat actor group Babuk2, suggesting the two incidents are unrelated.