Data leak at Orange ignites concerns about SIM simulation thefts

Orange Belgium, a leading telecommunications provider, has revealed a significant data breach that occurred in late July. In a press release published on August 20, the company detailed the incident and outlined extra security measures for its customers.

The Warlock ransomware group has claimed responsibility for the attack, posting a sample of allegedly stolen data on their data leak site. The group has been actively deploying the Warlock ransomware, exploiting the Microsoft SharePoint 'ToolShell' chained vulnerability, first disclosed in July 2025.

According to the press release, the attack targeted Orange Belgium's customer accounts, potentially compromising SIM card numbers and Personal Unblocking Key (PUK) codes. The PUK code is an eight-digit security code used to unlock a SIM card if an incorrect PIN is entered several times. However, no passwords, email addresses, or banking and financial data were accessed in the attack.

A white hat hacker at bug bounty firm Intigriti, who is also an Orange Belgium customer, has expressed concerns that the new security measures do not address the threat of SIM swapping. SIM swapping enables fraudsters to intercept calls and messages, including those containing one-time passcodes used for multi-factor authentication.

Meanwhile, the Warlock operator has recently claimed credit for an attack on UK-based telecoms provider Colt Technology Services. Security researchers believe this attack may have originated from exploitation of CVE-2025-53770, one of the two vulnerabilities involved in the ToolShell exploit chain.

Despite these concerns, an Orange spokesperson stated that the attack on the Belgian subsidiary is not linked to recently publicized attacks against telecoms providers worldwide, including incidents claimed by the Warlock gang and the other July attack on Orange. The spokesperson could not provide further details due to the ongoing investigation.

The incident has raised fears of SIM swapping attacks among Orange Belgium customers. As of now, no specific person or organization has been identified behind the attack using the Warlock ransomware tool. The threat actor behind the Belgium breach is known and is not linked to international organizations.

The Warlock group is offering the full dataset for sale. The company has published a separate customer information webpage outlining extra security measures to help customers protect themselves from potential threats.