31.4k unique visitors in the last 3 days

Belgium Tightens Controls on SIM Swaps Following Orange Privacy Breach

Hackers obtained data about 850,000 customers of Orange Belgium.

The Belgian Institute for Postal services and Telecommunications (BIPT), the Belgian comms regulator, has announced the introduction of a new safeguard to prevent criminals hijacking a phone user’s number. The change comes after Orange Belgium revealed on August 20 that a cyberattack in late July had compromised data from 850,000 customer accounts. BIPT acknowledged the increased risk of SIM swap fraud.

Het BIPT is in het bijzonder beducht voor mogelijke diefstal van telefoonnummers waarbij een fraudeur een aanvraag tot nummeroverdracht van de gestolen telefoonnummers indient naar een andere operator (frauduleuze “simswap”).

The BIPT is particularly concerned about the potential theft of telephone numbers where a fraudster submits a request to transfer the stolen telephone numbers to another operator (fraudulent “SIM swap”).

BIPT responded to Orange’s privacy breach by talking to Orange and other telcos about ways to mitigate the risk of SIM swap fraud. The result is a new control that has previously been adopted in other countries.

In dit kader heeft het BIPT, positief gevolg gegeven aan het voorstel van Orange om een extra controle toe te voegen aan de procedure voor nummeroverdracht.

Zo zal Orange bij ontvangst van een vraag voor een nummeroverdracht naar een andere operator een verificatie-sms sturen naar de betrokken klant.

In this context, the BIPT has affirmed Orange’s proposal to add an additional check to the number porting procedure.

For example, when Orange receives a request for a number porting to another operator, it will send a verification SMS to the customer concerned.

Customers that receive a verification message can prevent a transfer occurring by replying with the word ‘STOP’ within 8 days of receiving the notification. If the customer does not respond then the transfer will go ahead.

The new verification control only applies to customers of Orange but the careful wording of the announcement suggests the regulator is open to the same protection being given to customers of other telcos too. Telcos worldwide have sometimes opposed simple anti-fraud controls like these because they add friction to the process of customers changing their supplier. Some regulators have been wary of strengthening the position of market leaders by giving them additional ways of reducing churn. BIPT’s public blessing for the new Orange Belgium control will encourage rival telcos to implement equivalent controls.

Belgium has had relatively weak controls against unauthorized account takeover compared to other countries. BIPT may use this opportunity to argue for stricter consumer protection obligations in future. They should also be challenging the low priority given to warning the public about this breach. Per Orange Belgium’s version of events, three weeks elapsed between them detecting the cyberattack and informing the public about the resulting risks.

Orange Belgium has approximately 3.5 million postpaid mobile subscribers and about 1 million cable subscribers, placing them second in the Belgian telecoms market to Proximus. Per Orange’s press release, the data stolen by the hackers includes the names of customers and their phone numbers, SIM card numbers, PUK codes, and tariff plans.

The advice given by Orange Belgium tells customers to be wary of phishing frauds because the leaked data could be used by scammers to impersonate Orange or other reputable organizations. This is true, but it also understates the risks to the affected customers. As demonstrated by the new control on SIM swaps, this data could also be used by criminals to impersonate a phone user in order to take control of their account. The PUK code would also be useful to criminals who have stolen a handset; PIN codes for handsets can be bypassed and reset if the thief knows the user’s PUK code.

Commsrisk aficionados will appreciate another instance of our long-running data protection gag. Orange Belgium followed the breach by saying what countless other telcos have said after countless other privacy breaches.

Bij Orange Belgium staat de bescherming van je persoonlijke gegevens altijd voorop.

At Orange Belgium, the protection of your personal data is always our top priority.

Protecting data should be a top priority but the frequency of breaches proves it is not. Belgians are being reminded of a lesson that has been taught in many other countries too: anti-crime controls need to be implemented and working before data is breached, and not only rushed into effect after criminals have already landed a big payday.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email