Cyber Incident Victim: Orange România

On February 1, 2025, Orange România confirmed it was targeted in a cyberattack claimed by an individual using the alias "Rey," associated with the HellCat ransomware group. The attacker maintained unauthorized access to Orange's systems for over one month before exfiltrating data during a three-hour window without detection. Rey asserted the intrusion was not part of an official HellCat operation despite their affiliation with the group, which has historically targeted other organizations. The compromised data primarily affected Orange România and included approximately 380,000 unique email addresses, internal company documents, and customer information. Samples of stolen records contained email addresses belonging to current and former employees, partners, and contractors, alongside source code, invoices, contracts, and partial payment card details linked to Romanian customers. Some exposed email addresses belonged to individuals who had not been Orange customers for over five years, and many compromised payment card details had already expired. Data from Yoxo, Orange's contract-free subscription service, was also included in the breach.

The attacker gained initial access through a combination of compromised credentials and vulnerabilities in Jira, Orange's issue-tracking software, and targeted internal portals during the intrusion. Rey left a ransom note on the compromised system but stated Orange did not engage in negotiations, leading to the public release of stolen data on a hacker forum. The leaked information encompassed operational assets like source code and financial documents, exposing organizational and customer data despite partial obsolescence of some records. No ransomware deployment or encryption of systems occurred during the incident. Orange did not publicly disclose containment measures or detection timelines in the immediate aftermath, while the attacker emphasized the prolonged undetected access prior to data extraction.