Full Report
Orange Belgium, a subsidiary of telecommunications giant Orange Group, disclosed on Wednesday that attackers who breached its systems in July have stolen the data of approximately 850,000 customers. [...]
Analysis Summary
# Incident Report: Orange Belgium Customer Data Breach
## Executive Summary
In late July 2025, Orange Belgium suffered a cyberattack that resulted in unauthorized access to IT systems, impacting the data of approximately 850,000 customers. The compromise involved sensitive account information, though passwords and financial details were reportedly safe. The company detected the incident in July and is currently investigating the threat actor, notifying affected customers via email or SMS.
## Incident Details
- Discovery Date: End of July 2025 (Detected the cyberattack)
- Incident Date: Occurred sometime in July 2025
- Affected Organization: Orange Belgium (Subsidiary of Orange Group)
- Sector: Telecommunications
- Geography: Belgium and/or Luxembourg
## Timeline of Events
### Initial Access
- Date/Time: End of July 2025
- Vector: Undisclosed cyberattack (Not linked to the Salt Typhoon group targeting other telecom firms)
- Details: Attackers gained unauthorized access to one of the company's IT systems.
### Lateral Movement
- Details: Not explicitly detailed, but the access resulted in compromise of systems containing specific customer data records.
### Data Exfiltration/Impact
- Details: Attackers accessed and stole data including surname, first name, telephone number, SIM card number, PUK code, and tariff plan information for 850,000 customer accounts. Passwords, email addresses, and financial information were *not* accessed.
### Detection & Response
- Date/Time: End of July 2025
- Details: Orange Belgium detected the cyberattack on one of its IT systems. The company is notifying all 850,000 affected customers via email or SMS and has an ongoing investigation.
## Attack Methodology
- Initial Access: Exploitation or compromise of an IT system (Method unspecified). Orange Belgium has stated this is a separate incident from those potentially linked to the Salt Typhoon threat group.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed (Passwords were reportedly not compromised).
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Gathering of customer account details (name, phone number, SIM details, PUK code, tariff plan).
- Exfiltration: Stealing the collected customer data.
- Impact: Unauthorized access and theft of Personally Identifiable Information (PII) linked to customer accounts.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Data of approximately 850,000 customers compromised, including names, phone numbers, SIM card numbers, PUK codes, and tariff plans.
- Operational: No mention of operational decryption or significant disruption, although the parent company (Orange Group) experienced disruptions from a separate July incident.
- Reputational: Public disclosure required, negatively impacting customer trust.
## Indicators of Compromise
- Network indicators: None disclosed.
- File indicators: None disclosed.
- Behavioral indicators: Unauthorized access to a specific IT system.
## Response Actions
- Containment measures: In progress/Internal implementation following detection at the end of July.
- Eradication steps: Not detailed, ongoing investigation.
- Recovery actions: Not detailed, focused on customer notification and vigilance advisories.
## Lessons Learned
- Inability to prevent initial unauthorized access to sensitive IT systems containing PII.
- The need for enhanced segmentation or protection around systems storing PUK codes and tariff information, which were successfully compromised.
## Recommendations
- Conduct a full audit of the compromised IT system to determine the exact initial entry vector and ensure all backdoors are removed.
- Review and enhance security monitoring around high-value PII systems, especially those containing PUK codes.
- Increase customer vigilance training regarding social engineering attempts (suspicious messages or calls) related to the exposed data.