“When everything goes black and dark, the only thing you can rely on is people and communications.”
— Keri Gilder, CEO, Colt Technology Services
On 12 August 2025, at approximately 11:00 AM BST, Colt Technology Services - a multinational telecommunications provider serving 27,000 enterprise customers across 40 countries and operating 75,000 km of fibre network - detected a cyber incident on its internal systems. Within hours, its Colt Online customer portal and Voice API platform were dark.
The company’s initial public statement described the situation as a “technical issue.” By Thursday 14 August, it had confirmed a cyber incident. By the weekend, the WarLock ransomware group had posted to the RAMP cybercrime forum, claiming to be selling one million stolen Colt documents - financial data, employee salary records, customer contracts, executive personal information, and detailed network architecture files - for $200,000.
The incident was later attributed to exploitation of CVE-2025-53770, a critical Microsoft SharePoint remote code execution vulnerability - part of an exploit chain known as “ToolShell” - which had been actively exploited as a zero-day before Microsoft issued a patch in late July. Security researcher Kevin Beaumont identified the likely vector from public telemetry and Shodan data shortly after the attack became public.
RECOVERY TIMELINE: Services remained disrupted for more than three months. In a September update, Colt confirmed that full restoration would take 8–10 weeks from mid-August, pushing expected completion to late November 2025.
As of early October, the customer portal, hosting APIs, and Voice-on-Demand tools remained offline. Billing functionality was also disrupted, delaying invoice issuance across the business. Colt filed more than 75 reports to regulators, law enforcement bodies, and cybersecurity agencies across 27 countries.
The Colt incident is reported to have included a particularly insidious complication familiar to incident responders at major organisations: the ‘clean and reinfect’ cycle. According to accounts of the response, forensic specialists engaged to investigate, cleanse, and restore affected systems found persistent hidden malware that reactivated following what appeared to be a successful remediation. This is consistent with the tactics of sophisticated ransomware operators, who plant secondary payloads, web shells, or persistence mechanisms deep within systems - lying dormant until the primary threat appears contained.
Colt’s own public statement confirmed that “steps to remove the threat actor from our environment” had been taken, and that the incident had been “contained.” But the extended recovery timeline - stretching well beyond what simple data recovery would require - is consistent with the painstaking work of eradicating multiple layers of compromise. The company confirmed it was enhancing detection and response capabilities and implementing “additional resilience measures” even after the initial containment.
This is not unusual. It is, in fact, the norm. Modern ransomware groups do not simply encrypt files and wait. They establish persistence, exfiltrate data over extended periods, and seed systems with secondary access mechanisms designed to survive standard remediation. The lesson for any organisation is stark: a system that appears clean may not be clean. And the response process itself - the coordination, the communications, the command-and-control of the recovery - cannot rely on the very infrastructure the attackers have compromised.
Speaking to Capacity magazine in October 2025, Colt CEO Keri Gilder offered a remarkably candid post-incident reflection. Her words are worth sitting with:
“Almost every conversation that we had with our customers and suppliers started with them saying: If it wasn’t you, it would be us. The main lesson learned is that the crisis plans and preparation most leadership teams practice with is for the physical part of the attack - systems down, manual processes, business continuity. What leaders do not plan for is the emotional side of a cyberattack - the human trauma associated with it.”
And then this:
“What I realised through the event is leadership is leading people, and it’s not leading technology, and it’s not leading systems and processes.”
This is the truth that crisis communications professionals have long understood but that technology leaders are still learning. When the systems are down, when the attackers are inside, when the forensic teams are working through the night - the only things that remain are people and their ability to communicate.
The CEO of a global telecommunications company - whose entire business is providing communications infrastructure to others - found herself in a position where her own organisation’s internal communications were compromised. This is not irony. It is the fundamental nature of the threat.
The Colt incident crystallises a challenge that YUDU Sentinel has been built to address: in a serious cyber incident, the primary network, the email infrastructure, the collaboration platforms, and the customer-facing systems are all potentially compromised, unreliable, or deliberately taken offline. The attacker’s first move is often to degrade your ability to respond.
An out-of-band (OOB) communications platform operates on entirely separate infrastructure - independent of the corporate network, independent of the compromised SharePoint server, independent of the email systems that may themselves have been infiltrated. It exists precisely for the moment when everything else goes dark.
Consider what Colt’s leadership team needed in those first hours on 12 August:
Without an OOB capability in place before the attack, each of these requirements creates improvisation under pressure - the worst possible time to improvise communications infrastructure.
Colt’s own status page, maintained throughout the incident, shows the company working to maintain customer communications through manual processes. It is a testament to the team’s resilience - but it is also evidence of what happens when you are fighting the crisis and rebuilding your communications capability at the same time.
One detail from the Colt story is particularly striking. According to reporting from Diginomica, Colt had run a red team exercise shortly before the attack - and the exercise had revealed, among other things, that the organisation needed crisis communications capability. The company had recruited a crisis communications partner in response. Then, just weeks later, the real attack hit.
This is not a cautionary tale about preparation arriving too late - it is a powerful argument for why red team exercises and resilience testing need to include communications infrastructure as a first-class concern. The question is not only “can we detect the attack?” or “can we contain the attack?” It is: “when everything goes dark, can our people still talk to each other?”
An effective out-of-band communications capability for an organisation of Colt’s scale - or indeed for any organisation operating critical infrastructure - requires several properties that standard enterprise tools cannot provide:
Architectural separation: The OOB platform must be hosted on infrastructure entirely independent of the corporate environment. If WarLock compromised Colt’s SharePoint via CVE-2025-53770, any tool hosted on or integrated with that SharePoint estate is potentially compromised too.
Pre-configured contact groups: In a crisis, you cannot afford to spend time building distribution lists. The CEO, the board, the legal team, the PR team, the key customer contacts - all must be pre-configured and tested.
Multi-modal alerting: When primary systems are down, alerts must reach people via secondary channels - SMS, push notification, or dedicated device - not email.
Access without corporate credentials: If Active Directory is compromised or taken offline, credential-based access to the OOB platform fails at the worst possible moment.
Documented audit trail: Regulators in 27 countries filed 75 reports in Colt’s case. Every communication, every decision, every notification must be logged and retrievable.
Rapid mass notification: The ability to push a single coordinated message to thousands of stakeholders simultaneously, with confirmation of receipt.
Colt’s recovery took more than three months. Billing was disrupted. Invoices were delayed. Customer portal access was unavailable. Voice API services - upon which enterprise customers depend to automate and manage their communications - were offline. The reputational cost of those weeks cannot be calculated in the same way as the direct operational loss, but it is real.
Gilder’s observation that “overwhelming goodwill” from customers sustained the business through the recovery is heartening - and a tribute to her leadership. But goodwill is not guaranteed. And the next organisation to face this experience may not have the same reservoir of customer patience.
The question for every board, every CISO, every CEO reading this is not whether their organisation will face a serious cyber incident. The question is whether, when the lights go out, they will be able to lead.
“When everything goes black and dark, the only thing you can rely on is people and communications.”
— Keri Gilder, CEO, Colt Technology Services