CONTACT US

Orange Belgium affected by data breach

Orange Belgium affected by data breach

850,000 customer profiles at risk

At the end of July 2025, telecom company Orange Belgium discovered that hackers had gained access to an internal IT system. As a result, they were able to view data belonging to approximately 850,000 customers. The exposed data did not include passwords or banking details, but did include names, phone numbers, SIM card numbers, PUK codes, and subscription types. According to Orange, these are not critical data. Ethical hacker Inti De Ceukelaire disagrees and warns that the risks may be far greater than the company suggests.

Response from ethical hacker Inti De Ceukelaire

De Ceukelaire emphasizes that for some customers, the leaked data is crucial to their personal security. “Anyone who has your PUK code can also reset your PIN code,” he says.

He particularly warns about the risk of SIM swapping. According to De Ceukelaire, hackers can go to another provider and request that a phone number be transferred to a new SIM card. Normally, verification procedures are required, but with some providers, presenting the SIM card number is part of that verification process.

He also warns that access to phone numbers makes it easier for hackers to gain access to email accounts, cryptocurrency wallets, and other sensitive accounts via SMS-based verification.

What does this say about IT security?

More data equals more risk
Hackers gained access to data that should not all have been stored together. Why are PUK codes, phone numbers, and customer names located in the same system? This is not secure. Storing less data in one place is often safer.

Access rights must be more strictly controlled
Not everyone within an organization needs access to sensitive data. In this case, it appears that too much information was available to too many users or systems. It is therefore important to clearly define access rights and ensure that employees only have access to what they truly need.

Detection took too long
It is unclear how long the attackers had access to the system. However, the extent of the damage suggests that the breach was not detected immediately. Effective alerting mechanisms to identify suspicious activity in a timely manner may have been lacking.

PUK codes and SIM card data are more sensitive than you might think
As De Ceukelaire pointed out, hackers can use SIM card data and PUK codes to take over SIM cards and gain access to accounts that use SMS-based two-factor authentication [NC1.1]. This once again highlights the risk of SIM swapping. Customers therefore face a real risk of identity theft.

What can we learn from this?

  • SIM card data is important. Do not assume that PUK codes or SIM card numbers are harmless—they can be misused to gain access to accounts and identities.

  • Keep sensitive data separated. Do not store too many types of personal data in a single system. This makes it more attractive to attackers.

  • Limit access. Not everyone within an organization needs access to sensitive customer data. Grant access only when absolutely necessary.

  • Ensure rapid detection. If a breach is not detected quickly, the impact can be significantly greater. Implement effective monitoring and alerting for suspicious activity.

  • Be transparent with customers. After a data breach, open and honest communication is essential. Customers want to know what happened and what actions they can take.

  • Take the lead as a company. Do not expect customers to take action on their own. Actively support them in securing their data again.

How NormNest can help

Would you like more information or expert advice? Feel free to schedule a no-obligation appointment with one of our specialists.

Your smart compliance companion.
We turn complex regulations into clear actions and help you build digital trust.

Quick Links

Services

Not sure where to start? Let us show you the way forward.

© 2025 – All Rights Reserved by NormNest Compliancy |        BE 1026 379 764 | Trust Center