Colt confirms data theft

Colt Technology Services has confirmed that data was stolen in a recent cyberattack that disrupted its operations.

The admission comes as the Warlock ransomware gang begins auctioning what it claims are over a million stolen documents on its dark web site.

The London-based telecoms provider first started facing disruption to its services on 12th August, and later confirming foul play three days later.

Initially, Colt said there was no evidence of data theft. But in a new statement on a dedicated incident page, the company acknowledged that information had indeed been taken.

"Through our extensive investigation, we have determined that some data has been taken," Colt said.

"Our priority is to determine at pace the precise nature of the data that is impacted and notify any affected parties.

The company added that certain stolen files "may contain information related to our customers."

In an unusual move, Colt is allowing customers to request the full list of filenames allegedly published by Warlock, via its dedicated call centre. Since that list is not visible on the gang's leak site, this suggests Colt may be in direct contact with the attackers.

Colt's service status page continues to show disruption. Its customer portal (Colt Online) and Voice API platform remain offline, while some customers are also experiencing problems with the number-hosting API platform and Colt On Demand, its network-as-a-service portal.

The telco has apologised, saying its teams are "working tirelessly" to restore services, but has not given a timeline for full recovery.

Meanwhile, Warlock has claimed responsibility for the breach, saying it stole a trove of sensitive data including employee and customer records, financial documents and details of Colt's network architecture and software development.

A hacker using the alias "cnkjasdfgd" asserted that the stolen dataset exceeds one million files.

Security researcher Kevin Beaumont suggested that the intrusion may have exploited a recently patched Microsoft SharePoint Server vulnerability (CVE-2025-53770), which allowed attackers to bypass security features.

Researchers at Trend Micro also linked Warlock to widespread exploitation of the same bug, which has affected organisations worldwide since July.

Unlike most ransomware groups that practice "double extortion" by leaking samples of stolen data online, Warlock has chosen to withhold any material from public view. Instead, it is attempting to sell the data via a private auction, scheduled to end on 27th August.

Auction-based monetisation of stolen files is rare, though not unprecedented – most notably seen in RansomHub's 2023 raid on auction house Christie's.

Warlock only emerged in June, but has already established itself as a prolific ransomware operator.

In its first appearance on a Russian cybercrime forum, the gang advertised its services under the slogan: "If you want a Lamborghini, please call me."

Since then, it has been linked to at least 11 confirmed cyberattacks.

Trend Micro researchers noted that roughly half of Warlock's victims so far have been government agencies, and many belong to the technology and critical infrastructure sectors across North America, Europe, Asia and Africa.

The firm also suggested that Warlock may have connections to the defunct Black Basta ransomware syndicate.