Information about the data breach at Telia Norge
Telia Norge has been subjected to a data breach that has resulted in customer data being stolen. Our investigations show that information about business customers to whom Telia delivers data communication services (datacom) has been affected.
We take this situation extremely seriously and have mobilized significant resources to handle it. We are working closely with the authorities, and the incident is under investigation by the police. Our top priority now is to assist those affected.
We sincerely apologize for any inconvenience this incident may cause your company.
What has happened?
In late November 2025, Telia discovered that unauthorized parties had gained access to part of Telia Norge’s IT environment. Immediate measures were taken to identify the intruders, block their access, and prevent others from gaining entry. At the same time, an analytical process was initiated to determine the extent of the damage caused by the data breach, but at that point it was not possible to conclusively determine the full scope.
Further efforts continued into 2026 to assess the severity and scale of the theft and to implement necessary security measures. On February 6, a criminal hacker group announced on the dark web that one week later they would publish large amounts of data extracted from Telia Norge’s systems. There has been no contact between the hacker group and Telia Norge. Telia quickly established that this data could originate from the November incident. The company immediately notified relevant authorities in line with established procedures.
Large amounts of data have been published on the dark web, and it is a comprehensive task to map and analyze all of it in order to determine what is sensitive and what is less sensitive.
Investigations to date show that information about business customers who receive datacom services from Telia has been affected. This includes information such as addresses, on-site contact persons, services, and LAN IP addresses. Work to inform these customers began some time ago, and all affected customers will receive information during this week.
We have already implemented, and continue to implement, ongoing security measures both internally and for our customers as a result of the data breach. This work is of the highest priority.
Significant resources are also involved in handling, investigating, and helping to limit the damage caused by the data breach.
The Norwegian Data Protection Authority (DPA) and the Norwegian Communications Authority (Nkom) have been notified as required. The data breach has also been reported to the police and is under investigation by the National Criminal Investigation Service (Kripos).
What do we recommend you do?
We currently have no indications that customer data has been misused. However, as a general precaution, we recommend that you stay alert to possible identity theft or fraud attempts.
If business‑critical and technical support information may be exposed, the greatest risk relates to possible secondary attacks. These could include targeted social engineering, attempts to make unauthorized changes, or more precise technical attacks.
To maintain security, we recommend strengthening routines for verifying requests related to changes in services, networks, or access rights, and ensuring that such changes cannot be carried out without clear control. Identities and access rights should also be reviewed regularly to ensure least‑privilege principles are upheld and that unused or unnecessary access rights are removed.
We also recommend ensuring that systems and network components are kept up to date, that exposure to the outside world is limited to what is necessary, and that monitoring and logging are actively used to detect unwanted incidents early.
If you suspect misuse or need a review of your security setup, please contact us for further dialogue and possible actions. You are welcome to contact us at e-mail if you have any questions.
Questions and Answers
Business customers who use Telia’s data communication services (datacom) are affected. Work to notify impacted customers began earlier, and all affected customers will be informed during week 10.
There are currently no indications that information related to customers using mobile services or IoT services from Telia has been affected. We are continuously analyzing the material and will get back to you if we discover information about your business in the stolen data.
We have identified that business information contained in order forms for our datacom services has been affected. This includes information such as addresses, on-site contact persons, services, and LAN IP addresses. We continue to analyze the material and will notify you if we identify additional information related to your business.
There are no indications that network components have been exposed. Nevertheless, we have implemented a range of preventive measures, including changing usernames and passwords for all network components, reviewing access lists, updating encryption keys, and expanding monitoring.
We currently have no indications that customer data has been misused, but we know that contact information can be used in fraud attempts and identity theft. We therefore encourage affected customers to be extra vigilant regarding suspicious emails, SMS messages, or phone calls in the coming period. Never share personal information if you are unsure of who is requesting it.
The dark web is a part of the internet that is not accessible through regular search engines such as Google. Access requires special browsers or technical tools that hide users identities.
Data that ends up on the dark web may be accessible to criminal groups, sold or shared further, and used in fraud or identity theft. Once information is published there, it can be difficult to remove.
It requires some skill and knowledge to locate and use information from the dark web, which is mainly used by people with high technical expertise, criminal actors, and organized cybercrime networks.
Telia discovered in late November 2025 that unauthorized parties had gained access to part of our IT environment. Immediate measures were taken to identify the intruders, remove them, and prevent further access. At the same time, analysis work was initiated to determine the damage caused, although the full scope could not be definitively determined at that time.
Further efforts continued into 2026 to assess the severity and scale of the theft and implement necessary security measures. On February 6, a criminal hacker group announced on the dark web that it would publish large amounts of data extracted from Telia Norge’s systems one week later. There has been no contact between the group and Telia Norge. Telia quickly determined that this data could originate from the November incident and immediately notified relevant authorities.
Large amounts of data have now been published on the dark web, and it is a comprehensive effort to assess which data is sensitive and which is not.
We proactively started informing affected business customers, and all of them will receive detailed information during week 10.
We have already implemented, and are continuing to implement, security measures both internally and for our customers. This work is a top priority.
The Norwegian Data Protection Authority (DPA) and the Norwegian Communications Authority (Nkom) have been notified. The data breach has also been reported to the police and is under investigation by Kripos.
Telia discovered in late November 2025 that unauthorized parties had gained access to part of our IT environment. Immediate measures were taken to identify the intruders, remove them, and prevent further access. Further investigations are ongoing to clarify the incident and gain full insight. This forms part of the ongoing investigation by Kripos and our own internal review.
A criminal hacker group has published the material on the dark web. There has been no contact between the hacker group and Telia Norge.