Dial C for Cyber: Why Benelux Telcos Are Under Attack

The telecommunications sector sits at the heart of the region’s digital economy. That makes it an increasingly popular target

Telecommunications providers play a unique role in their nation’s critical infrastructure (CNI). They’re also uniquely exposed to data theft, extortion and nation-state sabotage. In February, the latest in what has become a wave of breaches at Benelux telcos compromised sensitive personal and financial information for over six million Dutch mobile users. That’s a third of the population.

As operators continue to build out 5G, CISOs in the sector must adopt a resilience-first mindset befitting CNI. Regulators will accept nothing less.

Dialling up the threat levels

The most recent breach hit the largest mobile phone operator in the Netherlands, Odido. The carrier said an unauthorised third party gained access to a “customer contact system”, although we don’t yet know how. What we do know is that they compromised names, home and email addresses, IBANs, dates of birth and passport/driver’s licence numbers. Unsurprisingly, Odido warned customers of follow-on fraud and phishing attempts.

“From a reputational viewpoint, having to communicate a breach to every affected data subject is a commercial and PR nightmare” Jan Guldentops

Yet it is not the only telco in the region to be undone in recent months. Orange Belgium informed 850,000 customers last summer that hackers had stolen names, telephone numbers, SIM card numbers, tariff details, and Personal Unblocking Key (PUK) codes. As the latter are used to unlock SIMs or verify ownership, there were fears that the incident may lead to mass SIM-swapping attacks, especially as the culprit was a financially motivated ransomware group (Warlock).

The same group struck a month later, compromising fibre network provider Colt Technology Services in August 2025. They appear to have gained access to the corporate network by exploiting a remote code execution (RCE) vulnerability in Microsoft SharePoint. Some services, including customer portals and support systems, were out of action for days following the incident. And the group itself claimed to have exfiltrated a million documents, including financial information, employee salary data, executive communications and customer contact info.

Unbelievably, there’s more. In May of the same year, a data breach at mobile virtual network enabler (MVNE) Effortel led to the theft of personally identifiable information (PII) from three Belgian mobile virtual network operators: Carrefour Mobile, Neibo, and Undo. A threat actor exploited a vulnerability in the MVNE’s support portal, compromising PII on 70,000 customers. This included names, birth dates, email and home addresses, SIM numbers, passport details and phone numbers.

The nation-state threat

The above are all examples of financially motivated cyber crime. But telcos are also increasingly popular targets for nation-states seeking opportunities to conduct large-scale spying and pre-positioning operations. Most notably, China’s Salt Typhoon has been blamed for sophisticated, multi-year espionage campaigns targeting mainly US carriers. It exploits known vulnerabilities, especially on edge devices, and modifies router configurations for lateral movement, among other TTPs. The group has also targeted Dutch ISPs and hosting providers.

Sometimes the threat is closer to home, according to Jan Guldentops, CEO of Belgian tech consultancy B.A. “It is well-documented that GCHQ breached the Belgian provider Belgacom (now Proximus) in ‘Operation Socialist’,” he tells Assured Intelligence. “It specifically targeted their international carrier services because they handled a vast portion of international telephony and data traffic for the Middle East and Africa.”

Sometimes it’s not just espionage but the opportunity to disrupt an enemy state’s critical infrastructure that appeals to government hackers.

“Disruption serves the purpose of destabilisation, either to undermine trust in a country’s critical services, or to distract from more covert operations,” KnowBe4 CISO advisor, Martin Kraemer, tells Assured Intelligence. “More broadly speaking, state actors are increasingly disrupting nations’ infrastructure as part of hybrid warfare where conventional/kinetic warfare is facilitated by cyber attacks.”

Independent security evangelist Eddy Willems agrees. “Disruptions ripple instantly into banking, healthcare, government, and emergency services. A telco outage is never ‘just an IT issue’, it’s a societal impact,” he tells Assured Intelligence.

Why are telcos so exposed?

The challenge facing industry CISOs battling these threat actors is the sheer complexity of their technology environment, Willems continues.

“Operators juggle legacy infrastructure alongside cutting-edge technology. That creates uneven security maturity and hidden weaknesses. And they depend heavily on third-party vendors, managed services and supply chains, which expands the attack surface far beyond internal controls,” he explains.

“Perfect security doesn’t exist. Cyber resilience is about absorbing, recovering and adapting” Eddy Willems

“Availability requirements are extreme: networks must stay up 24/7, limiting downtime for patching or architectural changes. And telcos are deeply interconnected. A compromise can cascade across sectors, amplifying consequences.”

The compliance imperative

The financial and reputational impact from data breaches, extortion attacks, SIM swapping and related threats should be obvious to telco CISOs. As should the national security implications of state-backed intrusion activity. Regulators have taken note. Benelux telcos are not only required to meet strict NIS2 rules, but could also fall under the scope of DORA.

Telecommunications giants such as Orange and Deutsche Telekom are on a list of 19 critical ICT third-party providers (CTTPs) governed by the financial services regulation. And others that provide digital services to clients in the industry will also be included.

“NIS2 imposes a broad range of obligations in terms of cybersecurity: telcos must have adequate governance processes. There have to be adequate risk management procedures in place, incidents must be reported to national authorities, and appropriate mitigations put in place,” KU Leuven professor of cybersecurity and privacy, Bart Preneel, tells Assured Intelligence.

“DORA requirements are similar to NIS2 but include operational resilience and reporting of incidents to financial customers.”

For B.A.’s Guldentops, the “biggest legal and reputational concern” isn’t NIS2 or DORA, but the GDPR. “Under Article 32, telcos must prove their security measures are up to par or face significant fines. From a reputational viewpoint, having to communicate a breach to every affected data subject is a commercial and PR nightmare,” he says. “Of course, NIS2 and DORA add new layers of compliance and, crucially, personal liability for the board and senior management.”

Dutch telco CISOs should also bear in mind that the regulator, the National Digital Infrastructure Inspectorate (RDI), has fined both Odido and Vodafone millions in recent years for failing to secure their wiretapping systems.

Securing the sector

All the local experts Assured Intelligence spoke to urged telco security leaders faced with these challenges to prioritise cyber resilience. KU Leuven’s Preneel says boardroom support is an essential first step.

“Invest sufficiently in cybersecurity and operational resilience, both in terms of governance (people and processes) and technology” Bart Preneel

“Invest sufficiently in cybersecurity and operational resilience, both in terms of governance (people and processes) and technology,” he adds. “Carefully balance investments in prevention, detection, response and recovery. Work with your suppliers, share information with peers, and consider AI for cyber offence and defence, alongside post-quantum cryptography.”

Security evangelist Willems says efforts must start by treating identity as the frontline. “SIM-swap fraud and account takeover remain highly effective. Move beyond SMS-based MFA, and strengthen identity verification, privilege management and Zero Trust controls,” he continues. “Next, reduce architectural fragility by segmenting aggressively – separating management planes, signalling, core services and IT environments.”

Willems also points to behavioural detection, threat hunting and well-rehearsed incident response as helping to build resilience, alongside improved supply chain risk management.

“Vendors can become your weakest link. Demand security assurances, audit rights and clear incident obligations,” he says. “Perfect security doesn’t exist. Cyber resilience is about absorbing, recovering and adapting.”

To these efforts, KnowBe4’s Kraemer adds staff training and culture-building to counter social engineering. But telcos must also think one step ahead, as identities are increasingly machine rather than human. “As the workforce moves from entirely human to hybrid with AI agents, organisations must invest in AI agent security and oversight,” he argues.

Extensive guidance on technical and policy measures has already been published in the region to help telco CISOs. The local agencies or National Cybersecurity Authorities responsible for NIS2 are a good first port of call. They are the Centre for Cybersecurity Belgium (CCB), the Dutch National Cybersecurity Centre (NCSC-NL), and the Institut Luxembourgeois de Régulation. The Luxembourg National Cybersecurity Competence Centre (NC3) is also a useful resource.

As Benelux telcos continue to build out the infrastructure on which local businesses, government agencies and consumers depend, they will come under growing pressure from digital adversaries. In this context, resilience is no longer an option. It should be the foundation of cyber strategy.