Orange Belgium targeted in cyberattack

Telecoms operator Orange Belgium has been the target of a cyberattack that allowed hackers to access 850,000 customer accounts, the company has announced.

The attack happened at the end of July and the reason why the announcement was made so long after the incident itself was because the operator had to assess the extent of the data affected and put certain measures in place before communicating with its customers.

No critical data was compromised: no passwords, email addresses, bank or financial details have been affected, Orange Belgium said.

However, the hacker did gain access to a computer system containing data such as first and last names, telephone numbers, SIM card numbers, PUK codes and price plans.

“As soon as the incident was detected, our teams blocked access to the affected system and strengthened our security measures,” the company said in a statement.

“Orange Belgium has also alerted the relevant authorities and filed an official complaint with the judicial authorities.”

In the meantime, Orange recommends that affected customers remain vigilant for any suspicious communications. These customers have been or will be contacted by email and/or SMS.

“The information accessed could be used by fraudsters to try to contact you by phone, email or text message and pretend to be Orange or another company,” the telecoms operator said on its website.

“The main aim would be to trick you into sharing more sensitive data such as passwords or bank details.”

Beyond this risk, Franck Dumortier, a researcher at the Cyber & Data Security Lab at the Vrije Universiteit Brussel (VUB), also warns of "SIM swapping".

“This technique involves a hacker posing as the real owner of a SIM card using information collected on the internet and social networks, such as a surname, first name or other identifying data,” Dumortier explained.

“Then, using this identification data, they request a replacement card. The new SIM card is then sent to the hacker, who can use it to impersonate the real cardholder and make payments or access authentication codes.”

The fact that the hacker has access to the SIM card number gives them additional information to "convince the operator that the person is who they claim to be", according to the expert.

To limit this risk, the law has stipulated since 2022 that operators cannot issue SIM cards without seeing an identity document.

“It’s very important that operators comply with this provision,” Dumortier said.

Orange Belgium, without going into details about customer identification for security reasons, told RTBF that "measures have been taken at various levels to limit all risks".

“We have strengthened our security controls for our telephone support by adding secret questions whose answers are not part of the data consulted,” an updated version of the company’s website reads.

“In addition, in stores, we continue to verify identity by scanning ID cards.”

Although the parent company Orange was also recently the target of a cyberattack, the two incidents are not related, according to Orange Belgium.