Full Report
Statement from Orange Belgium S.A. on August 20 2025: At the end of July, Orange Belgium detected a cyberattack on one of its IT systems, resulting in unauthorised access to certain data from 850,000 customer accounts. No critical data was compromised: no passwords, email addresses, bank or financial details were hacked. However, the hacker gained... Source
Analysis Summary
# Incident Report: Orange Belgium Customer Data Breach
## Executive Summary
In late July 2025, Orange Belgium detected a cyberattack resulting in unauthorized access to an IT system containing personal data for approximately 850,000 customers. While critical data like passwords and financial details were confirmed safe, the compromised information included names, phone numbers, SIM card numbers, PUK codes, and tariff plans. Orange Belgium contained the breach promptly, notified authorities, and began customer communication.
## Incident Details
- Discovery Date: End of July 2025
- Incident Date: Occurred prior to or around the end of July 2025
- Affected Organization: Orange Belgium S.A.
- Sector: Telecommunications
- Geography: Belgium
## Timeline of Events
### Initial Access
- Date/Time: Late July 2025 (when detected)
- Vector: Not explicitly specified, but involved unauthorized access to an internal IT system.
- Details: Attackers gained entry into an IT system hosting specific customer records.
### Lateral Movement
- Details: Not specified in the public statement, but the scope was limited to one specific IT system.
### Data Exfiltration/Impact
- Details: Access gained to data for 850,000 customer accounts, including surname, first name, telephone number, SIM card number, PUK code, and tariff plan.
- **Not Compromised:** Passwords, email addresses, and bank/financial details.
### Detection & Response
- **Detection:** Orange Belgium detected the cyberattack at the end of July 2025.
- **Response Actions:** Teams immediately blocked access to the affected system and tightened security measures. Authorities were alerted, and a judicial complaint was filed. Affected customers are being notified.
## Attack Methodology
- Initial Access: Unauthorized access to an IT system (Specific vector undisclosed).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Movement appears limited to the specific compromised IT system.
- Collection: Gathering of PII, SIM/PUK information, and subscription details.
- Exfiltration: Implied, as unauthorized access led to data compromise.
- Impact: Unauthorized access and potential theft of non-critical personal data.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Personal data (Name, phone number, SIM/PUK code, tariff plan) for approximately 850,000 customer accounts.
- Operational: Limited operational disruption stated, primarily focused on remediation of the affected system.
- Reputational: Negative impact due to the compromise of extensive customer data.
## Indicators of Compromise
*Note: No specific artifacts (IPs/URLs/Hashes) were disclosed publicly.*
- Network indicators: Undisclosed.
- File indicators: Undisclosed.
- Behavioral indicators: Unauthorized access to a specific IT system.
## Response Actions
- **Containment:** Access to the affected IT system was immediately blocked.
- **Eradication:** Security measures were tightened across the environment.
- **Recovery:** Customer notification initiated via email/text message. Legal proceedings commenced.
## Lessons Learned
- A gap existed in the security controls protecting the IT system containing detailed customer records (name, PUK, SIM data).
- The incident response process successfully identified the scope (limiting impact to non-critical data like passwords) and initiated mandatory reporting.
## Recommendations
- Conduct a thorough forensic analysis to determine the precise method of initial access.
- Review and enforce segmentation and least-privilege access controls around all systems containing sensitive customer identifying information (PII) and critical authentication elements (PUK codes).
- Enhance monitoring capabilities focused on system file integrity and unusual internal data access patterns leading up to the detection date.