TL;DR: France's three major telecom providers (Orange, Bouygues Telecom, and SFR) were all breached in 2025. The damage: 6.4 million customers' IBANs stolen from Bouygues. 380,000 email addresses and partial payment data leaked from Orange Romania. Up to 50,000 SFR customers' banking details exposed. Attackers ranged from ransomware groups (HellCat, Babuk) to unnamed third-party intruders. If you're a French telecom customer, your data is almost certainly compromised. Monitor your bank accounts, watch for unauthorized direct debits, and assume you're a phishing target.

Every Major French Telecom. Breached.

2025 was catastrophic for French telecom security. The country's three major carriers (Orange, Bouygues Telecom, and SFR) all suffered significant data breaches within months of each other.

This isn't coincidence. It's a pattern. Telecoms hold enormous amounts of personal data: names, addresses, phone numbers, banking details, call records. They're high-value targets. And in France, every single major carrier failed to protect their customers in 2025.

Here's what happened, what was stolen, and what it means for you.

Bouygues Telecom: 6.4 Million IBANs Stolen

When: August 4-6, 2025[1]

Affected: 6.4 million customers

Data exposed: Names, contact details, IBANs, civil status, contractual information

Bouygues Telecom, France's third-largest carrier, detected a cyberattack on August 4, 2025. By August 6, they confirmed the worst: a "third party" had accessed personal data for 6.4 million customers.[2]

The stolen data included International Bank Account Numbers (IBANs). That's your unique bank identifier: everything someone needs to set up fraudulent direct debits in your name.

Bouygues claims credit card numbers and passwords weren't compromised. But with 6.4 million IBANs in criminal hands, that's thin comfort. IBAN fraud is already spiking in France, and this breach just added fuel to the fire.

The company notified customers via email and SMS, reported to France's data protection authority (CNIL), and filed a complaint with judicial authorities. Standard post-breach playbook. Doesn't get your data back.

Orange: Three Separate Attacks in One Year

Orange, France's largest telecom with 287 million customers worldwide, wasn't just breached once. They were hit at least three times in 2025.

February 2025: HellCat Ransomware Hits Romania

On February 25, 2025, a hacker named "Rey" from the HellCat ransomware group exfiltrated 6.5GB of data from Orange Romania. The attacker had undetected access for over a month, exploiting compromised credentials and vulnerabilities in Orange's Jira software.[3]

Stolen data included:

  • 380,000 unique email addresses (employees, partners, contractors)
  • Yoxo customer data
  • Partial payment card details (outdated but still damaging)
  • Source code and internal documents

Orange didn't pay the ransom. Rey leaked the data anyway. Orange called it a "non-critical back-office application." Tell that to the 380,000 people whose emails are now on dark web forums.

March 2025: Babuk Claims 4.5 Terabytes

Just weeks later, the Babuk ransomware group claimed to have stolen 4.5 terabytes of data from Orange. They threatened to release 1TB if negotiations failed. The alleged haul included email addresses, customer records, source code, contracts, call logs, and personally identifiable information.[4]

July 2025: Service Disruptions

In July, Orange reported another cyberattack on internal systems, causing service disruptions for corporate and consumer clients in France. Orange initially claimed no data was exfiltrated. After the Romania incident, their credibility on such claims is limited.

August 2025: Warlock Group Publishes Data

A group called "Warlock" stole business customer data and published it online. Orange downplayed the incident, claiming attackers only accessed "outdated or low-sensitivity information."[5]

Four incidents in eight months. At some point, "we're investigating" stops being an answer.

SFR: Banking Details Exposed Twice

SFR, France's second-largest carrier, managed to get breached twice in 2025.

September 2025: 50,000 Customers' Banking Data

The first attack exposed data for nearly 50,000 customers, including banking details and personal information. This is the worst kind of breach: direct financial exposure.[6]

December 2025: Another Subscriber Data Leak

In December, SFR announced another cyberattack. This time: names, addresses, customer references, and telephone numbers leaked. SFR claimed banking data wasn't affected in this second incident, cold comfort after the September breach already exposed banking information.

August 2025: Database Leak Claims

Reports in August also alleged an SFR database leak, raising concerns about SIM swapping and phishing risks from the exposed data.[7]

Why IBANs Are Dangerous

Many people underestimate IBAN exposure. Here's why you shouldn't:

Fraudulent Direct Debits

With your IBAN and name, criminals can set up direct debit mandates for utilities, subscriptions, and services. You'll only notice when money disappears from your account.

Social Engineering Fuel

Your banking details make phishing attacks more convincing. "We're calling about your account ending in [real numbers]" sounds legitimate when they actually have your information.

Identity Verification Bypass

Some services use banking details as identity verification. If attackers can confirm your IBAN, they've passed one security check already.

Difficult to Change

Unlike a password, you can't easily change your bank account. Moving banks is a major hassle. Many victims just live with the exposure.

The Third-Party Pattern

The Bouygues breach came through a "third party." This mirrors exactly what happened to TalkTalk in the UK: a supplier compromise that exposed customer data.

Telecoms don't operate alone. They rely on:

  • Billing platforms: Processing payments, storing banking details
  • Customer support systems: Access to full customer records
  • Marketing vendors: Contact information, preferences
  • Analytics providers: Usage patterns, behavioral data

Every third party is an attack vector. Every integration is a potential entry point. Every vendor relationship means your data sits on systems the telecom doesn't directly control.

The SecurityScorecard Global Third-Party Breach Report found that 35.5% of all data breaches in 2025 originated from third parties. Telecoms are especially vulnerable due to their complex supply chains and the volume of sensitive data they handle.[8]

CNIL and GDPR: Will There Be Consequences?

Under GDPR, French regulators can issue fines up to €20 million or 4% of global annual turnover, whichever is higher. For Orange, with €39.7 billion in 2023 revenue, that's potentially a €1.6 billion fine.

In practice, fines are typically smaller. The French data protection authority (CNIL) has historically been active but not punitive enough to fundamentally change corporate behavior.

All three carriers reported their breaches to CNIL, as required. Investigations are ongoing. But investigations take years. Fines, if they come, arrive long after the data has been sold, traded, and exploited.

Meanwhile, French consumers have limited recourse. Class action lawsuits are possible under French law, but recovery is uncertain and slow. The companies will survive. Their customers bear the actual consequences.

What You Can Do

Monitor Bank Accounts Weekly

Check for unauthorized direct debits. Many banks allow you to set up alerts for any new mandates. If your IBAN was in the Bouygues breach, this is essential.

Contest Unauthorized Debits

Under SEPA rules, you can contest illegitimate direct debits within 13 months. Report immediately to your bank if you see anything suspicious.

Enable Transaction Notifications

Most French banks offer SMS or app alerts for transactions. Set them up. The faster you catch fraud, the easier it is to reverse.

Be Suspicious of All Contact

Any email, call, or SMS claiming to be from Orange, Bouygues, or SFR could be a phishing attempt using your real stolen data. Verify independently before acting.

Change Associated Passwords

If you use the same email/password combination for your telecom account and other services, change them. Credential stuffing attacks are likely.

Consider a New SIM

If your SFR data was exposed, SIM swapping is a risk. Contact your carrier to add extra verification requirements for SIM replacements.

The Bigger Picture

France isn't unique. Telecoms worldwide are under siege:

  • TalkTalk (UK): Third-party supplier breach exposed customer data, January 2025
  • SK Telecom (South Korea): Linux backdoor in systems for years, discovered April 2025
  • Ribbon Communications (US): Nation-state hackers inside contractor systems through 2025

The telecommunications industry holds some of the most sensitive data: who you call, where you go, how you pay. That data is valuable to criminals, marketers, and governments alike. The protections are often inadequate.

2025 demonstrated that no major telecom is immune. French carriers failed spectacularly, but they're part of a global pattern. Your telecom provider, wherever you are, is a data breach waiting to happen.

References

  1. Infosecurity Magazine - Bouygues Telecom cyberattack exposes 6.4 million customers' IBANs (August 2025)
  2. Bleeping Computer - Bouygues Telecom discloses cyberattack (August 2025)
  3. SC World - Orange confirms breach by HellCat ransomware affiliate (February 2025)
  4. CertPro - Babuk ransomware claims 4.5TB Orange data theft (March 2025)
  5. Insurance Journal - Warlock group publishes Orange business customer data (August 2025)
  6. The Cyber Express - SFR data breach exposes 50,000 customers' banking details (September 2025)
  7. BrinzTech - SFR database leak raises SIM swapping concerns (August 2025)
  8. SecurityScorecard - 2025 Global Third-Party Breach Report