Telecom operator Orange Belgium discovered a cyber attack on one of its IT systems at the end of July, which leaked 850,000 customer accounts.
At the end of July, Orange Belgium fell victim to a cyber attack. Data from approximately 850,000 customer accounts was stolen. This includes information such as name, first name, phone number, SIM card number, PUK code, and the customer’s rate plan.
According to Orange, these are not critical data, but cyber experts have their doubts about this. The company informed its customers about the cyber attack via email or message, but questions are also being raised about the company’s transparency. How could this attack on one of the largest telecom providers happen?
read also
Is Orange Minimizing the Cyber Attack that Exposed 850,000 Customer Accounts?
Critical Data or not?
The cyber attack that took place at Orange Belgium at the end of July gave hackers unauthorized access to data from 850,000 accounts. As soon as Orange’s team noticed the breach, access was immediately blocked. The company states that it does not involve critical information such as email addresses, banking details, or passwords. However, the hackers could view customers’ name, first name, phone number, SIM card number, PUK code, and rate plan.
According to ethical hacker Inti De Ceukelaire, these are indeed “critical data.” He believes Orange has not done enough to protect the affected customers. “For some people, that stolen information is crucial to guarantee their safety,” De Ceukelaire told vrtnws.
SIM Swapping
Orange unilaterally decides in its communication that the leaked data is not critical, but De Ceukelaire disagrees. “Whoever has your PUK code can also reset your PIN code.” De Ceukelaire refers to the phenomenon of simswapping, where a hacker takes your phone number to another provider.
Cybersecurity specialist Eddy Willems confirms that it’s not good that this data has been leaked, but he puts the danger of SIM swapping in Belgium into perspective. “More information is needed to change SIM cards in our country today, such as your date of birth or national registry number, and that information has not been leaked.”
While that information may have been spared from this cyber attack, hackers can still obtain it. “Malicious actors who target other databases or have social engineering skills can still get this additional information,” he warns.
Minimized
As one of the largest telecom companies in Belgium, Orange bears a great responsibility. Transparency and clear communication to customers are essential in this regard. De Ceukelaire states that the danger is greater than the communication suggests. Willems also agrees: “They have minimized the attack in the message to customers.”
Inevitable?
“It’s not unique for such data breaches to occur. Unfortunately, it’s inherent to today’s world,” says Willems. Orange does have Orange Cyberdefense, a dedicated business division specialized in cyber security.
“A security problem can always creep into a system, but with a company like Orange, you expect them to be armed against this,” he states. “Nobody knows exactly what was at the root of the security problem, except Orange itself. The foundation of good cybersecurity is testing, testing, and testing again by ethical hackers and senior consultants. It’s often in the smallest details. That’s presumably where things went wrong at Orange.”
Moreover, a provider has a lot of personal data, making it an even more attractive target. “It seems that Orange stores its data in different places, since the most critical data has not been leaked,” Willems says with relief.
Nevertheless, the data breach could have been avoided. He compares it to the security of Itsme. “They store extremely sensitive data that cannot be easily cracked. That is incredibly well secured, why can’t Belgium’s third largest telecom provider achieve this?”
Test, Test, Test
Testing, testing, and especially continuing to test, something Willems continues to emphasize and sees happening too little at companies. “Cybersecurity costs money, but it’s important to keep investing in people and technologies that can strengthen your company’s cyber resilience,” Willems concludes.