British Telecoms Provider Colt Updates After Major Cyber Attack and Data Breach
Business communications and internet provider Colt Technology Services (COLT) has provided an update after hackers breached their business support systems late last week, which resulted in the provider choosing to proactively take some systems offline. Work to restore the service remains ongoing, but sadly it is now known that a data breach has occurred.
The situation, which has also had knock-on impacts for other telecoms and networking providers across the UK and other countries, originally started on the morning of 12th August 2025 after hackers (allegedly a ransomware gang) breached some of Colt’s internal business support systems – said to be “separate from our customers’ infrastructure“.
The attackers are speculated to have entered through the sharehelp.colt.net server via as recently identified vulnerability in Microsoft’s SharePoint content management and collaboration platform (CVE-2025-53770), which has been given a critical vulnerability score of 9.8 out of 10. But this has not yet been officially confirmed by Colt.
Advertisement
In response, after detecting unusual activity on their business support systems, Colt decided to take some of their key systems offline (e.g. customer portal, NaaS portal, Voice/number API platform) and has been trying to safely recover everything since then. The situation is also disrupting the ordering and delivery of new services, while customer support has suffered after other “automated processes and systems” were also taken offline.
Sadly, it’s since come to light that “some data has been taken” by hackers (including customer data), although the official Cyber Incident page on Colt’s website remains rather vague on the detail.
Colt’s Latest Statement to Customers
We are writing to provide an update on the cyber incident that has affected our business support systems (BSS).
We are now aware that the threat actor has accessed certain files that may contain data related to our customers and posted the document titles on the dark web. Our immediate priority is to determine the precise nature of the files and what information they contain.
We have notified the relevant regulators and authorities, and we continue to work closely with law enforcement agencies as part of our investigation. We are leveraging all available resources to understand the scope and nature of the data breach and to recover the files as a matter of urgency. This is a complex investigation, and we are making progress.
We want to reassure you that this cyber incident is limited to our business support systems, which are separated from our customer infrastructure.
We are committed to sharing relevant details with you as our investigation progresses. Our dedicated incident response team, including external investigators and forensic experts, continue to work 24/7 on the investigation and recovery.
We will contact customers directly where we have specific knowledge of file names accessed.
We have set up a dedicated telephone line to help answer any questions you may have – this will be available from midday BST on Monday 18th August – local free of charge numbers can be found on the website URL below.
You can follow live information on a customer-only page, which can be found at https://www.colt.net/go/it-incident/
If you have any immediate questions, please get in touch with us at customerinformation@colt.net and we will respond as quickly as possible.
We sincerely apologise for any inconvenience this may cause. We greatly appreciate your patience, understanding and ongoing co-operation.
Yours sincerely,
Annette Murphy
Chief Commercial Officer, Colt Technology Services
The most recent service status update, which was posted at 5:45pm yesterday, noted that Colt’s teams “continue to work 24/7 to restore the internal systems affected by the recent cyber incident. We understand how frustrating it is not to have access to some of our support services such as Colt Online and our Voice API platform, and we’re very sorry for this. We appreciate your continued patience and understanding.”
Meanwhile, there are reports (ITPro.) that the cyber gang involved have begun trying to sell millions of related documents online, which are said to cover everything from employee salary and financial data to customer contract data, network details and software development details etc. Several hundred GigaBytes of information is allegedly being offered.
Advertisement
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Customers of UK ISP Earth Broadband Suffer Billing Errors and Support Woes
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person’s legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Month after SharePoint vulnerability was publicly disclosed and they’ve done nothing. I could somehow understand this for company with IT outsourced to Bangladesh, but for this size and brand recognition company it is an absolute joke.
I’m a customer of a voip provider that may or could be impacted by this outage, as they were not able to port my numbers across since the outage began last week.
I have since recalled the porting request and gone back to the original provider as there is no guarantee when the port will happen.
„someone claiming to represent the Warlock ransomware group has posted on a dark web forum that they are offering to sell one million of Colt’s stolen documents for US $200,000.
The data is said to include financial, customer, and employee data, as well as internal emails. Sure enough, WarLock’s data leak site on the dark web includes an entry for Colt, and has announced that it is auctioning the data to whoever might want it.“
https://www.fortra.com/blog/warlock-ransomware-what-you-need-know