A significant data theft at Orange Belgium has opened hundreds of thousands of its customers to serious cybersecurity risks.

The telecom company confirmed that data pertaining to 850,000 customer accounts was compromised during an intrusion at the end of July, with the attacker gaining access to sensitive information.

The crooks accessed the full names and phone numbers of subscribers, Orange said on Wednesday. Perhaps even more concerning, the attackers got SIM card numbers and personal unlocking key (PUK) codes.

This data could potentially prove to be a goldmine for criminals, experts told The Register, with customers now susceptible to targeted phishing and fraud campaigns.

David Rogers MBE, CEO at Windsor-based security company Copper Horse, said: “The association between the SIM ID, phone numbers, and real names is worrying and could enable very targeted frauds, such as phishing attacks addressing people by name or to re-associate phone numbers with a real person.”

Keith Martin, professor of information security at Royal Holloway, University of London, concurred: “Large data breaches of this type simply should not happen, regardless of the utility of the stolen data. Having access to names linked to mobile numbers creates avenues for an attacker to conduct more plausible personalized phishing attacks.”

However, Martin added that the SIM card number exposure might not be as serious an issue, provided that Orange Belgium never relies on those for identity-verification purposes. The company has not explicitly stated that it has taken this precaution.

In Orange Belgium’s announcement, the telco said “no critical data was compromised.” Here, it referred to passwords, email and home addresses, and financial information – all of which are thought to be safe.

However, Rogers said that this “seems wrong” and that it “could cause real harm.”

“For example, imagine how much data of domestic violence victims, celebrities, or politicians is in there? All of those people are going to have to change their phone numbers.”

As for PUK codes, which could in theory be used to recover an individual’s SIM card, both Rogers and Martin said that this is less of a concern than the other data types.

“The PUK is used to unlock a SIM protected with a PIN code if the PIN has been entered incorrectly too many times,” Rogers said. “However, in the modern era, this is rarely, if ever, used so to me this is less of a concern.”

Martin added: “Knowledge of PUK codes presents a possible risk if an attacker somehow manages to directly access an impacted mobile device, but it is more of a secondary risk than a primary one.”

Orange acknowledged the same risks as the experts, saying via its dedicated cyberattack page that a fraudster’s main goal would be to deceive customers into handing over more sensitive information such as passwords and bank details.

It also ruled out any possibility of the data being used for SIM-swapping purposes.

“We’ve strengthened our security checks for phone support by adding secret questions, the answers of which are not part of the accessed data,” it said. “Furthermore, we continue to verify identity in our stores by scanning ID cards.”

SIM swapping is a form of attack favored by social engineering specialists. The consequences of an attacker gaining control of an individual’s SIM card are myriad, but chief among these is becoming the sole recipient of SMS-based authentication codes.

Being able to intercept these can theoretically lead to accounts being taken over and banking apps becoming compromised.

Three of the more notorious and prolific groups known for SIM-swapping claimed in recent weeks that they were joining forces. Scattered Spider, Lapsus$, and ShinyHunters launched a joint Telegram channel on August 8, and onlookers saw members seemingly looking to start a ransomware operation.

All three have high-profile rap sheets, littered with intrusions of big organizations such as Las Vegas casinos, retail multinationals, tech giants, major airlines, and more.

Threat averted?

Orange Belgium insists that there is no evidence (yet) to suggest that the stolen data has been disseminated or otherwise abused.

However, it advised customers to change their passwords regularly to a strong string consisting of at least 12 characters using numbers, letters, and symbols.

The telco also warned against reusing passwords for multiple accounts, to never share authentication codes, and to remain vigilant to suspicious links, attachments, calls, or texts.

It has not committed to issuing financial compensation to those affected, acknowledging that under GDPR, victims could be entitled to a payout.

However, it said that this depends on each situation and company, and compensation would only be considered if a customer could demonstrate a firm link between its breach and material harm resulting from it, such as identity theft, financial loss, or moral damage.

“If no damage is found, financial compensation is not automatically provided,” it said.

The Register asked Orange for more information about the incident, including whether it could confirm or deny if ransomware was involved, or if it was being extorted. It declined to comment.

There is no loss of services. All mobile, internet, and TV lines remain operational. ®