Orange has confirmed that personal data belonging to 850,000 customers was accessed during a cyberattack in July, raising concerns across Europe about the growing threat of SIM-swapping fraud.
The operator disclosed that hackers infiltrated one of its systems, compromising names, telephone numbers, SIM identifiers, tariff details and Personal Unblocking Keys (PUKs). These codes, which can unlock SIM cards after repeated failed PIN attempts, are regarded by security specialists as particularly sensitive because they can be exploited in fraudulent transfers of mobile numbers.
In a statement released late last week, Orange Belgium said: “As soon as the incident was discovered (in July), our teams blocked access to the affected system and strengthened our security measures. The relevant authorities have been notified and an official complaint has been filed with the judicial authorities.”
The operator has launched a dedicated webpage explaining the nature of the breach, the protective steps taken, and advice for customers. It is contacting those affected directly. The company stressed that it will provide no further details while the investigation remains active, citing privacy concerns and the need to preserve evidence.
The disclosure follows confirmation of another cyber incident within Orange Group’s French operations in late July, though the company insists that no customer or corporate data was accessed in that case.
Orange Belgium, which employs 1,500 staff and serves more than three million customers across Belgium and Luxembourg, reported €1.34 billion in service revenues last year.
For the insurance sector, the incident underscores the twin challenges of cyber risk and data privacy liability. SIM-swapping has long been regarded as a key enabler of financial fraud, allowing attackers to intercept one-time passcodes used in multi-factor authentication. In recent years, insurers have observed rising claims from businesses and individuals who have suffered losses after such breaches.
The incident will likely renew debate among underwriters about how cyber and crime policies address the consequences of mobile identity theft. While Orange has so far played down the extent of the data exposed - emphasising that passwords, emails and financial details were not compromised - insurers warn that even partial identifiers can provide criminals with enough leverage to mount sophisticated social engineering attacks.
Orange Belgium’s disclosure marks the third cyber incident connected to the wider Orange Group this year, adding to a broader picture of persistent assaults on European telecom providers. Such breaches raise concerns not only for consumer protection but also for professional services, where mobile authentication forms a crucial component of secure client communications.
For insurers, the breach is a timely reminder that the reliability of third-party technology providers represents a critical element of operational risk. As more claims arise from identity fraud and cyber-enabled theft, both underwriters and brokers will need to scrutinise exposures linked to mobile networks, while policyholders will expect greater clarity on coverage in the event of SIM-related attacks.
