Orange Group data breach: Every step explained

The Orange Group data breach has exposed sensitive customer and corporate data, affecting hundreds of thousands of individuals and employees. The breach was confirmed after a hacker leaked internal documents from Orange Romania, a subsidiary of the French telecommunications giant Orange Group.

This attack, attributed to a threat actor named Rey, was carried out after Orange refused to pay a ransom demand. The leaked dataset includes over 600,000 customer records, employee details, financial documents, and source code—all of which have now been made publicly available on hacker forums.

Unlike many cyberattacks that disrupt operations, this breach did not impact Orange’s core services. However, it raises serious concerns about data security in the telecom sector, especially given the highly sensitive nature of the leaked information. The fact that attackers had access to Orange’s systems for over a month before exfiltrating the data highlights major security gaps in the company’s detection and response mechanisms.

Orange Group is one of Europe’s largest telecommunications providers, offering mobile, broadband, and enterprise services across multiple countries. With a strong presence in France, Romania, Spain, Belgium, and several African nations, the company plays a crucial role in global communications infrastructure.

Orange Romania, one of its key subsidiaries, serves millions of customers and provides various digital services, including:

• Mobile and broadband connections
• Enterprise solutions for businesses
• Cloud computing and cybersecurity services
• Subscription-based offerings like Yoxo (a no-contract mobile service)

Given its extensive customer base and the nature of the data it handles, Orange is a high-value target for cybercriminals. The exposure of internal records, financial data, and personal identifiers in this breach raises alarms about how telecom providers protect their networks and customers from evolving cyber threats.

DISA data breach: Everything you need to know and steps to take

Why this breach matters

This is not just another corporate data breach—it’s a direct attack on a major telecommunications provider, impacting customers, employees, and business partners. The sensitive data leaked includes:

• Personally Identifiable Information (PII): Names, email addresses, and contact details of customers and employees.
• Financial data: Invoices, contracts, and partial payment card details of Romanian customers.
• Corporate documents: Internal files, source code, and future project plans that could expose the company to further security risks.

Beyond the immediate risks, this breach sets a dangerous precedent for telecom cybersecurity. If a company as large as Orange can suffer a month-long undetected intrusion, it raises questions about how secure global telecom infrastructure really is.

With cybercriminals increasingly targeting telecom operators, this incident serves as a wake-up call for stronger security measures across the industry. The following sections will break down the timeline of the attack, its full impact, and the steps affected individuals should take to protect themselves.

When and how the breach occurred

The breach was carried out by Rey, a member of the HellCat ransomware group, though the attack was not officially classified as a ransomware operation. Instead, it was a targeted intrusion where the hacker gained unauthorized access to Orange’s internal systems and exfiltrated sensitive data.

Key events of the breach:

• Pre-February 2025: The hacker gained access to Orange’s systems over a month before the breach was publicly revealed.
• Sunday Morning, February 2025: The attacker began exfiltrating data from Orange Romania’s systems.
• Three-Hour Data Theft Window: The exfiltration process lasted about three hours, during which the hacker was able to steal 6.5GB of data without being detected.
• February 24, 2025: The breach was officially confirmed by Orange Group, stating that it was limited to a non-critical back-office application.
• February 25, 2025: The hacker publicly leaked the stolen data on BreachForums after Orange refused to pay the ransom.

The fact that Orange’s security teams failed to detect unauthorized access for over a month is a major concern. Even when the hacker exfiltrated gigabytes of data within three hours, Orange’s monitoring systems did not flag or interrupt the activity, suggesting a lack of real-time threat detection.

Unlike many ransomware incidents where attackers encrypt systems and demand payment immediately, this breach followed a different pattern:

1. Silent infiltration: The hacker gained access to Orange’s network and remained undetected for over a month.
2. Failed extortion attempt: Rey attempted to extort Orange, likely demanding a ransom in exchange for not leaking the stolen data.
3. Data leak after refusal to pay: After Orange refused to negotiate, the hacker released over 12,000 internal files containing customer and employee data, financial records, and confidential business documents.

Orange confirmed the breach but downplayed its impact, stating that it affected a “non-critical back-office application” and did not disrupt core operations. However, this response does not address the long-term risks posed by the stolen data, especially for affected customers and employees.

While Orange disclosed the breach relatively quickly after the hacker made it public, the company’s internal detection and response were far slower than expected. The key concerns include:

• A month-long unauthorized presence: The attacker had full access to Orange’s internal environment for an extended period.
• Lack of automated breach detection:  The three-hour data exfiltration process should have triggered intrusion alerts, yet it went unnoticed.
• Delayed notification to affected individuals: While Orange immediately announced an investigation, there’s no confirmation on when or if impacted customers will be individually notified.

Orange’s official statement

Following public exposure of the breach, Orange issued a statement confirming the attack and outlining its response:

• The company immediately took action to secure systems after detecting the attack.
• Cybersecurity teams are working to assess the full extent of the breach.
• Orange emphasized that customer operations were not impacted and that it is complying with legal obligations regarding the incident.

However, the company did not address how it plans to handle the leaked customer and employee data, leaving uncertainty about the long-term consequences for those affected.

With the breach now public, Orange will face regulatory scrutiny, particularly under European GDPR laws, which impose strict breach notification requirements. Additionally, affected individuals may file legal claims if they suffer damages from identity theft or fraud.

Steps for affected individuals

The Orange Group data breach has put hundreds of thousands of customers, employees, and business partners at risk. While some of the leaked data may be outdated, attackers can still use it for identity theft, phishing, and fraud. Individuals affected by the breach should take immediate action to safeguard their accounts and financial information.

1. Monitor email and online accounts for suspicious activity

One of the most concerning aspects of this breach is the exposure of 380,000 unique email addresses, including those belonging to current and former employees, customers, and partners. Cybercriminals often use stolen emails to launch targeted attacks, including phishing scams, credential stuffing, and social engineering schemes.

What to watch for:

• Phishing attacks impersonating Orange – Hackers may send emails pretending to be from Orange, asking for login credentials, payment details, or personal information.
• Unusual login attempts on your accounts – If attackers try to access online accounts linked to the leaked email addresses, users may receive alerts about failed login attempts.
• Spam and scam emails – Stolen email addresses may be sold on the dark web, leading to an increase in spam, scam messages, and fraudulent offers.

How to protect yourself:

• Be skeptical of emails requesting personal information. Orange will never ask you to provide sensitive details over email.
• Check for suspicious login activity in your email account and other linked services. Most email providers (Gmail, Outlook, Yahoo) allow users to monitor recent logins.
• Use an email filtering tool to block spam and phishing attempts before they reach your inbox.

2. Change passwords and enable multi-factor authentication (MFA)

If your email address was included in the breach, you should immediately reset your passwords, especially for accounts associated with Orange or any other critical services. Hackers often attempt credential stuffing attacks, where they use stolen login credentials from one breach to access other accounts.

Steps to secure your accounts:

1. Reset passwords for all accounts linked to the compromised email address.
2. Use strong, unique passwords – Avoid using the same password across multiple services. A good password should be at least 12 characters long, with a mix of letters, numbers, and special characters.
3. Enable Multi-Factor Authentication (MFA) – MFA adds an extra layer of security, requiring a second form of verification (such as a code sent to your phone) before logging in. Even if hackers have your password, they won’t be able to access your account without this additional step.
4. Check if your credentials were exposed in other data breaches using services like Have I Been Pwned (https://haveibeenpwned.com/).

Why MFA is crucial:

• Stops most unauthorized logins even if your password is compromised.
• Reduces the risk of account takeovers, especially for banking, email, and social media accounts.
• Prevents hackers from accessing work-related systems if corporate accounts were part of the breach.

3. Monitor financial statements

Although some of the leaked payment card details are outdated, individuals should still review their financial accounts for any signs of fraud. Cybercriminals often combine partial financial data with phishing tactics to trick victims into providing their full payment information.

Steps to protect your financial data:

• Check your bank and credit card statements regularly – Look for any unauthorized transactions or charges you don’t recognize.
• Enable transaction alerts – Many banks and credit card providers offer real-time notifications for account activity, helping you detect fraud faster.
• Report any suspicious activity immediately – If you notice unauthorized charges, contact your bank or credit card provider to dispute them and request a card replacement.
• Be cautious of phone calls or emails asking for payment verification – Attackers may pose as bank representatives claiming to “verify” your financial information.

What to do if your payment details were compromised:

• Request a new card from your bank if you believe your payment information is at risk.
• Consider placing a fraud alert or security freeze on your credit file to prevent identity thieves from opening new accounts in your name.

Featured image credit: Orange Group