Telecommunications operators are designed to carry the world’s conversations, payments, and sensors. When that carriage is breached the effects are both digital and kinetic: fraud, targeted phishing, service disruption, and in some cases cascading impacts on physical systems that rely on connectivity. Two incidents from the first half of 2025 — MTN’s April disclosure and Orange’s spring and July intrusions — illustrate recurring failure modes and the concrete steps operators must take to reduce risk.

What happened, at a glance

MTN Group disclosed in late April 2025 that it had experienced a cybersecurity incident that resulted in unauthorised access to personal information for some customers in certain markets, while emphasising that its core network, billing systems and financial services infrastructure remained secure and operational. MTN said it had activated its response processes and informed law enforcement and regulators.

Orange’s incidents came in two waves that are useful to compare. In February and March 2025 a threat actor using the handle Rey published data he said came from Orange Romania after exploiting compromised credentials and weaknesses in an internal Jira instance and other back-office portals. Orange characterised that event as a breach of a noncritical application and began investigations. Later, on July 25, 2025, the Orange Group detected an intrusion on one of its information systems, isolated affected services, and filed a formal complaint while reporting no immediate evidence of customer data exfiltration. The July containment actions themselves caused service disruption for some business and consumer customers in France.

Common patterns and risk vectors

1) Back-office and management systems are the low-hanging fruit. In several recent telco incidents attackers gained a foothold through credentials and exploited tools used for issue tracking and internal ticketing. Those systems often house project data, customer contact lists, and access to higher-value targets. The Orange Romania case highlights how non-customer-facing systems can act as a bridgehead.

2) ‘Core networks untouched’ is real but not soothing. Operators rightly prioritize segmentation so signalling, switching, and billing are isolated from corporate IT. However, even if core voice and packet infrastructures are intact, exfiltrated back-office data and leaked configuration artifacts create attack surfaces: targeted social engineering, SIM swap facilitation, credential stuffing, and fraud against mobile money users. These downstream attacks are precisely the kinetic/financial harms that follow a so-called noncritical breach.

3) Containment can produce availability impacts. Orange’s July response involved isolating systems to prevent lateral movement. Isolation is necessary, but when operational or management platforms are taken offline without prebuilt substitutes, business customers and public services can be disrupted. That trade-off must be deliberate and rehearsed.

4) Attribution and public claims complicate response. Operators are increasingly the subject of public claims on hacker forums. Threat actors publish samples to force engagement or to coerce response. This amplifies reputational risk and pressures incident handlers to choose between opacity and transparency while detailed forensics are ongoing. The public back-and-forth around Orange in February and March shows how narratives can outpace facts.

Lessons and concrete mitigations

1) Harden and isolate management tooling: Treat issue trackers, CI/CD endpoints, ticketing portals, and VPN concentrators like critical infrastructure. Apply strong MFA, allowlist administrative access by ephemeral bastion hosts, and force password and session rotation for any identity used by those systems. Run dedicated monitoring rules for anomalous exports from ticketing and repo platforms.

2) Zero trust for operator IT: Segment by function and implement least privilege for identities and services. Assume credentials will leak. Adopt short-lived credentials, require device posture checks, and instrument service-to-service authentication with mTLS where possible. Logging should be immutable and forwarded to an external SOC pipeline to prevent attackers from erasing traces.

3) Assume data exfiltration even when core systems are safe: Plan for second-order attacks. Telecoms host mobile money, enterprise VPNs, and SSO connectors. A breach of corporate data often precedes targeted phishing, SIM swaps, or account takeovers. Pre-authorised fraud mitigation playbooks with banks and mobile money partners reduce reaction time.

4) Pre-position availability fallbacks: When planning containment, ensure business continuity for customers. That means isolated management planes with warm standby consoles, hardened API proxies, and clear communication templates. Operators should exercise playbooks that include deliberate, time-boxed isolation with preapproved compensating controls to keep essential services running.

5) Elevate third-party and supply chain controls: Many breaches trace to compromised credentials for vendor portals or to unpatched third-party components. Inventory dependencies, require secure configuration baselines from vendors, and include explicit SLA clauses for security and incident notification. Regular pentesting and external red-team engagements focused on supply-chain pathways are essential.

6) Improve forensic readiness and coordinated disclosure: Forensics should be able to answer scope and impact quickly. Operators must align legal, PR, and technical tracks so notifications to regulators and customers are accurate and timely. Where GDPR or other breach-notification regimes apply, have templates and timelines mapped to legal obligations.

7) Harden telemetry and detection on noncore systems: Many breaches begin with credential theft and quiet data pulls from “noncore” apps. Instrument unusual data access patterns, high-volume exports, and new lateral-authentication flows. Feed those signals into an MDR provider or in-house SOC tuned for telco-specific indicators.

Why the telecom sector matters more than ever

Telecom operators are convergence points for consumer identity, financial rails, IoT telemetry, critical comms, and national infrastructure. A breach that looks limited on paper can quickly be weaponised into large scale fraud, targeted disinformation campaigns, or disruption of remote assets. That convergence demands that telcos treat every component as part of a single risk surface rather than a set of independent silos. The MTN and Orange episodes in 2025 reinforce this reality: containment and clear public communication matter, but so do prevention controls that recognize how back-office data becomes the enabler for kinetic and financial attacks.

A short operational checklist for telco security teams

  • Inventory and classify every application that contains PII, configuration, or enterprise secrets.
  • Require strong MFA and short-lived credentials for all management and developer tooling.
  • Forward immutable logs offsite and monitor for large exports from ticketing, repo, and backup systems.
  • Rehearse isolation drills that include customer-facing fallback mechanisms.
  • Coordinate pre-authorised fraud mitigation with financial partners and regulators.
  • Maintain a vulnerability disclosure and patch cadence for exposed third-party platforms, including Jira and CI systems.

Final word

These incidents are a reminder that telecom security is not just about keeping packets flowing. It is about protecting identity, money, and the control planes of systems that people and governments depend on. The right combination of segmentation, detection, forensics, and rehearsed containment can narrow an attacker’s window while preserving service for users. Operators who treat their noncore systems as critical will be the ones that avoid turning a limited breach into a national headache.