Orange Group confirms breach after hacker leaks company documents

A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider.

The threat actor published on a hacker forum details about the stolen data after trying to extort the company unsuccessfully.

Orange confirmed the breach to BleepingComputer saying that it occurred on a non-critical application. The company intiated an investigation and is working to minimize the impact of the incident.

According to the threat actor, who uses the alias Rey and is a member of the HellCat ransomware group, the stolen data is mostly from the Romanian branch of the company and includes 380,000 unique email addresses, source code, invoices, contracts, customer and employee information.

Rey told BleepingComputer that the breach was not a HellCat ransomware operation and that they had access to Orange’s systems for over a month.

On Sunday morning, they started exfiltrating company data and the activity ran for about three hours without the company detecting it.

Some samples shared with BleepingComputer show email addresses from former and current Orange Romania employees, partners, and contractors, along with partial details for payment cards belonging to Romanian customers.

Some of the data we verfied was quite old. For instance, some of the email addresses were used by individuals that had worked or collaborated with Orange Romania more than five years ago.

In the sample with partial payment card information, we found many instances where the data had expired. The leak also contains email addresses and names of Yoxo customers, Orange's subscription service with no contract period.

Rey says that they stole almost 12,000 files totaling close to 6.5GB after compromising Orange’s systems by exploiting compromised credentials, and vulnerabilities in the company’s Jira software for bug/issue tracking, and internal portals.

The threat actor told us they dropped a ransom note on the compromised system but Orange did not initiate negotiations.

BleepingComputer reached out to both Orange Group and Orange Romania with a request for comment and the company said they were looking into the matter.

A joint statement was shared and an Orange spokesperson told us that they've been discussing internally on the incident and the steps to mitigate it.

"Orange can confirm that our operations in Romania have been the target of a cyberattack," a company representative told BleepingComputer.

The company representative said their "cybersecurity and IT teams are working hard to assess the extent of the breach and minimize the impact of this incident."

“We are committed to providing regular updates. Additionally, we are committed to complying with all legal obligations associated with such incidents and we are cooperating with the relevant authorities to address this matter,” reads the rest of the statement.

Rey told us they breached Orange independently but they are part of the HellCat ransomware group, which has claimed attacks on Schneider Electric and Spanish telecommunications company Telefónica.

In both breaches, the hackers targeted Jira servers and scraped or stole 40GB of data and 2.5GB of documents respectively.