Orange Jordan 92% Telecom Credential Leakage Rate Exposed

The SMT Group’s “Data Leak Statistical Summary of Jordan 2017-2019”

published in 2020 documented a striking concentration of credential leakage in Jordan’s

telecommunications sector: 92% of all credential data leaked across the industry

during the three-year study period originated from telecom providers. Orange Jordan

• .the country’s dominant operator and the Jordanian subsidiary of the

French Orange S.A. group, operating as Jordan Telecom Group - was identified

as responsible for more than half of all telecom sector leakage. The study covered

breaches, credential dumps, and dark web postings involving Jordanian entities

between 2017 and 2019.

The Business & Human Rights Resource Centre subsequently investigated the broader

data collection practices of Jordan’s internet service providers, finding that

five ISPs were collecting intrusive user information without adequate disclosure to

customers. The combination of credential leakage at industrial scale and undisclosed

data collection practices creates a systemic portrait of a telecommunications sector

that holds vast quantities of sensitive subscriber data without the governance

frameworks, technical security controls, or accountability mechanisms needed to

protect it - a conclusion underscored by the absence of any enforceable personal

data protection law in Jordan at the time.

## Key Facts

• .**What:** 92% of Jordan's telecom credential leaks traced to the telecom sector (2017-2019).
• .**Who:** Orange Jordan subscribers and four other ISP customer bases.
• .**Data Exposed:** Usernames, passwords, national IDs, and subscriber account data.
• .**Outcome:** No enforcement; Jordan still lacks a personal data protection law.

## What Happened

Between 2017 and 2019, credential data from Jordan’s telecommunications sector leaked at a rate that dwarfed every other industry in the country.

The SMT Group’s "Data Leak Statistical Summary of Jordan 2017-2019," published in 2020, documented that 92% of all credential data leaked from Jordanian corporate entities during the three-year period originated from telecom providers.

Orange Jordan - the country’s dominant operator and the successor to the former state telecoms monopoly - accounted for more than half of all telecom sector leakage.

The leaked credentials appeared in dark web marketplace listings, pastesite publications, and cybercriminal forum postings.

The credential leakage was not a single incident but a pattern of repeated exposure over three years. Passwords appeared in plaintext or weakly hashed form, suggesting systemic failures in credential storage practices rather than isolated breaches.

The leaks included subscriber credentials for self-service portals, internal employee credentials from corporate systems, and customer identification data including national ID numbers and residential addresses linked to subscriber accounts.

Separately, the Business & Human Rights Resource Centre investigated the data collection practices of Jordan’s internet service providers and found that five ISPs were collecting intrusive user information without adequate disclosure to subscribers.

Freedom House’s "Freedom on the Net 2024" report continued to document concerns about ISP data collection practices and government access to subscriber data years later.

Jordan’s Cybercrime Law No. 17/2023 formalized obligations for ISPs to retain traffic data and provide law enforcement access, creating a legal architecture in which ISPs function as surveillance infrastructure - amplifying the consequences of credential leakage by ensuring the data ISPs hold is particularly sensitive.

No regulatory penalty was imposed on any ISP for the credential exposures.

## What Was Exposed

• .Subscriber credentials - usernames, email addresses, and passwords in plaintext or weakly hashed form - for Orange Jordan’s customer base, which includes the majority of Jordan’s fixed-line and broadband subscribers
• .Authentication data for Orange Jordan’s self-service portals, enabling unauthorized access to subscriber accounts, billing details, and service configurations
• .Internal employee credentials from Orange Jordan’s corporate systems, potentially including access to network management platforms and customer relationship management databases
• .Customer identification data associated with the leaked credentials: national identification numbers, addresses, and phone numbers linked to subscriber accounts
• .Potentially billing and payment data for subscribers whose account credentials were exposed in the leaks, depending on the scope of systems from which each leak originated
• .Network access credentials that could enable unauthorized access to Orange Jordan’s network management infrastructure if internal operational credentials were included in leaked datasets
• .Data from the other four ISPs identified as collecting intrusive user data, spanning the subscriber bases of Zain Jordan, Umniah, and other market participants

Orange Jordan, operating as Jordan Telecom Group, occupies a structurally dominant

position in Jordan’s telecommunications market. As the successor to the former

state telecoms monopoly Jordan Telecom Company, Orange inherited the country’s

fixed-line infrastructure and has used that foundation to build a leading position

across mobile, broadband, and enterprise services. Its subscriber base encompasses

a substantial proportion of Jordan’s population of approximately 10 million,

and its enterprise customer portfolio includes government ministries, banks, hospitals,

and major private sector corporations. A credential leakage event at Orange Jordan

is therefore not merely a consumer privacy issue: it creates attack vectors into

essentially every sector of the Jordanian economy that relies on Orange’s

enterprise connectivity services.

The SMT Group study’s methodology deserves examination. The research analyzed

data leak events - defined broadly to include credential dumps posted on dark

web marketplaces, pastesite publications, and cybercriminal forum postings -

involving Jordanian corporate entities across all sectors between 2017 and 2019.

The 92% telecom credential leakage rate indicates that the telecommunications sector

accounted for an overwhelming majority of the total credential records leaked from

Jordanian organizations during the period, not merely that telecom companies were

more frequently targeted. This sector concentration suggests structural vulnerabilities

in telecom data management practices rather than a random distribution of incidents

across industries.

Credential leakage at the scale documented by SMT Group typically results from one

of several root causes: inadequate password storage practices (storing passwords in

plaintext or using weak hashing algorithms that enable rapid cracking), vulnerable

web applications exposing subscriber databases through SQL injection or similar

attacks, inadequate access controls allowing broad internal access to subscriber

credential databases, or insider threats involving employees with access to credential

stores. The fact that Orange Jordan was identified as responsible for more than half

of all telecom sector leakage during a three-year period suggests a systemic rather

than episodic failure - multiple incidents, multiple vectors, or a persistent

exposure of credential data that was repeatedly harvested over the study period.

The parallel finding that five Jordan ISPs were collecting intrusive user data without

disclosure adds a different dimension to the sector’s data governance failures.

Collecting user data without disclosure means operating in breach of the most basic

transparency requirements that even minimal data protection frameworks impose. While

Jordan lacks a standalone Personal Data Protection Law, the constitutional privacy

guarantee under Article 18 and the general contractual obligations of service providers

to their subscribers create a normative baseline against which undisclosed surveillance-grade

data collection is clearly problematic. The question of what ISPs did with the intrusively

collected data - whether it was shared with government agencies, sold to third

parties, or used for commercial profiling - was not resolved by the available

public reporting and remains a concern.

The Freedom House “Freedom on the Net 2024” report on Jordan continued to

document concerns about ISP data collection practices and government access to subscriber

data, suggesting that the issues identified in the 2020 study had not been comprehensively

resolved in the intervening years. Jordan scored “Not Free” in Freedom House’s

assessment, with concerns about surveillance infrastructure, legal requirements for ISPs

to provide law enforcement access to subscriber data and communications, and the broader

digital rights environment. The Cybercrime Law No. 17/2023 contains provisions that

oblige ISPs to retain traffic data and provide access to authorities, creating a legal

architecture in which ISPs are instrumentalized as surveillance infrastructure -

an architecture that amplifies the consequences of credential leakage by ensuring

that the data ISPs hold is particularly sensitive.

## Regulatory Analysis

At the time of the documented credential leakage events (2017-2019), Jordan’s

primary data governance instrument for the telecommunications sector was the Telecommunications

Regulatory Commission (TRC) licensing framework, which establishes operational requirements

for licensed operators but does not include specific data security standards comparable

to those found in dedicated data protection legislation. The TRC’s mandate covers

service quality, spectrum management, market competition, and interconnection -

not the information security of subscriber credential databases or the data collection

practices of licensed operators vis-à-vis their customers.

Jordan’s Cybercrime Law No. 17/2023, while enacted after the study period, is

relevant to the forward-looking regulatory assessment. The law criminalizes unauthorized

access to systems and the interception of communications but, like its 2015 predecessor,

does not establish affirmative data security obligations for organizations that process

subscriber credentials. An organization that suffers a credential breach as a result of

inadequate security practices is a victim of a crime under the Cybercrime Law -

but it is not itself in breach of any specific legal obligation to maintain credential

security, absent a sector-specific security requirement from the TRC or another regulator.

This asymmetry between criminal liability (which attaches to attackers) and regulatory

liability (which does not attach to negligent victims) is a defining feature of Jordan’s

current legal architecture.

The constitutional dimension is again relevant. Article 18 of Jordan’s Constitution

protects the privacy of communications, which a telecom operator is by definition

entrusted with. An operator that fails to protect subscriber credentials -

enabling attackers to access subscriber accounts and, potentially, intercept

communications - is facilitating a violation of the constitutional privacy

guarantee that its operating license obligates it to protect. The absence of a

constitutional court mechanism or a data protection authority to receive complaints

means that this constitutional argument remains theoretical for affected subscribers.

However, civil tort claims grounded in the constitutional privacy right and the

operator’s implied contractual duty of care are plausible avenues for individual

subscribers whose accounts were compromised as a result of the credential leakage.

The Ministry of Digital Economy and Entrepreneurship (MoDEE), which has responsibility

for digital policy and has acknowledged data privacy as a national priority, is the

relevant policy body for addressing the structural vulnerabilities identified by the

SMT Group study. MoDEE’s development of a draft Personal Data Protection Law

• .which has been under consideration for several years - would, if enacted,

create the enforcement mechanism that is currently absent: a data protection authority

with the power to investigate credential breaches, require remediation, impose fines

on organizations with inadequate security practices, and mandate disclosure to affected

subscribers. Until this legislation is enacted, the TRC and MoDEE must rely on

license conditions and administrative guidance to address security failures that a

proper regulatory framework would address through mandatory security standards and

breach notification requirements.

## What Should Have Been Done

Preventing credential leakage at the scale documented in the SMT Group study requires

addressing the security practices that enable credential databases to be exfiltrated

and the storage practices that make leaked credentials immediately exploitable. For

a telecommunications operator of Orange Jordan’s scale - with a subscriber

base encompassing a large fraction of Jordan’s population - the security

investment required to protect subscriber credentials should be commensurate with the

value and sensitivity of the data held, not merely the minimum required by a regulatory

framework that does not yet exist.

Password storage practices are the most fundamental preventive measure for limiting

the impact of credential database exfiltration. If subscriber passwords are stored

using a strong, modern, salted hashing algorithm - bcrypt, Argon2, or scrypt

• .rather than in plaintext or using fast cryptographic hashes like MD5 or

SHA-1, then an attacker who exfiltrates the credential database cannot directly

use the obtained data to authenticate to subscriber accounts. The computational

cost of cracking properly salted bcrypt hashes at scale is prohibitive for all

but the most targeted attacks. Orange Jordan should have audited all systems that

store subscriber credentials and migrated any legacy plaintext or weakly hashed

credential stores to modern password hashing standards as a matter of priority.

Any system that could not be migrated should have been isolated from internet-facing

access pending redevelopment.

Application security testing for all web applications that process subscriber

credentials - self-service portals, account management systems, and API

endpoints - is essential for preventing the SQL injection and web application

attacks that are the most common vectors for credential database exfiltration.

Orange Jordan should have conducted annual penetration testing against all

internet-facing systems, supplemented by continuous automated web application

scanning that identifies new vulnerabilities as they are introduced by application

updates. The OWASP Top Ten represents the minimum scope of web application

security testing that should be applied to any system handling subscriber credentials.

Bug bounty programs, which incentivize external security researchers to responsibly

disclose vulnerabilities before attackers exploit them, would have provided additional

coverage at relatively low cost.

The undisclosed data collection practices identified in the Business & Human Rights

Resource Centre investigation require a different remediation approach: governance and

policy reform rather than purely technical controls. Orange Jordan and the other ISPs

identified should have published clear, accessible privacy notices explaining what

data they collect about subscriber behavior, for what purposes it is used, with whom

it is shared, and how long it is retained. These notices should have been presented

at the point of subscriber sign-up and made permanently accessible through the operator’s

website. Data minimization - collecting only the data necessary for the provision

of contracted services - should have been a design principle, not an afterthought.

The collection of “intrusive” user information beyond what is necessary

for service provision creates liability exposure and erodes the subscriber trust that

a competitive telecommunications market depends upon.

Orange Jordan’s documented dominance of Jordan’s telecom credential leakage

landscape reflects the consequences of operating a large subscriber credential database

in a regulatory environment that imposes no minimum security standards, no breach

notification obligations, and no meaningful accountability for organizations whose

inadequate practices enable subscriber data to flow to criminal actors - a gap

that Jordan’s long-delayed Personal Data Protection Law would begin to close.