The group — which serves more than 290 million customers globally — warned that some services could be affected by its response to the incident, though it did not disclose the precise nature of the attack.
Orange’s handling of the incident was met with sharp criticism from some of Belgium’s cybersecurity community.
In a LinkedIn post, Inti De Ceukelaire, chief hacker at Belgian bug-bounty platform Intigriti, called the company’s response “very disappointing,” accusing Orange of following “the same old corporate PR playbook” to protect its brand rather than its customers.
De Ceukelaire warned that the dedicated information page published by Orange downplayed the real risks — such as SIM swapping and number theft — while shifting the burden onto users to guard against phishing.
The company also “subsequently downplay[s] the financial compensation claims stating that damage needs to be proven,” he added.
Another LinkedIn user, Koen Gabriels, wrote: “Sure, providing every affected customer with a new SIM card is expensive and quite the logistical operation, but it would prove to me that they are worthy of storing my data.”