Cyber threats have become a significant concern for businesses worldwide in the digital age. The Royal Mail, a British postal and courier mail company, was not exempt from this reality. In January 2023, the company fell victim to a ransomware attack that disrupted its operations and made headlines across the globe.
Some time has passed, and we now look to provide a detailed exposé of the incident, its impact, the suspected threat actors, and the response from Royal Mail. The information is based on reports and data freely available online from various sources, including the Cyber Management Alliance, The Guardian, and Computer Weekly.
- Royal Mail Cyber Incident Synopsis
- What Was The Royal Mail Cyber Incident?
- Timeline of the Incident
- Royal Mail's Response During The Incident
- Post-Incident Recovery for Royal Mail
- Effect of The Incident on The Royal Mail
- Lessons We Can Learn from The Royal Mail Cyber Incident
- Who Was Responsible for The Royal Mail Cyber Incident?
- Final Thoughts on The Royal Mail Cyber Incident
Royal Mail Cyber Incident Synopsis
What Was The Royal Mail Cyber Incident?
On 7 March 2023, Royal Mail's IT systems were hit by a ransomware attack that disrupted its operations, particularly its ability to send parcels overseas. This affected many individuals and small businesses in the UK and abroad.
The attackers, the LockBit ransomware gang linked to Russia, demanded a substantial ransom payment for the decryption key. The ransom notes were reportedly printed on custom dockets after hackers encrypted the international shipping devices.
Royal Mail refused to fulfill the ransom demand, which some estimate was in the millions. The attackers then threatened to publish the stolen and encrypted data online.
Timeline of the Incident
January 2023
Early January: Royal Mail is hit by a ransomware attack. The LockBit ransomware gang linked to Russia is identified as the threat actor. The attack disrupts Royal Mail's IT systems, affecting its ability to send parcels overseas. The attackers demand a substantial ransom payment in exchange for the decryption key.
Mid-January: Royal Mail refuses to fulfill the ransom demand. The attackers threaten to publish the stolen and encrypted data online.
February 2023
Early February: Royal Mail continues to work on restoring its services. The company cannot handle international mail or parcels through its 11,500 Post Office branches across the UK.
Mid-February: The Post Office announces that it will provide branch operators with additional remuneration for handling international items.
21 February: Royal Mail restarts international parcel and letter deliveries through Post Office branches, almost six weeks after revealing the cyber incident. However, the company warns delivery might take slightly longer than before, and the tracking information available to customers might differ.
March 2023
7 March: Royal Mail announces that all international export services to all destinations are now available for purchase online, via shipping partners, or over the counter. The company is now processing close to regular daily volumes of international export mail with some delays.
Royal Mail's Response During The Incident
Royal Mail took some prompt steps in informing the Information Commissioner's Office and the UK's National Cyber Security Centre in time, and both published statements about the incident very shortly. This reflects good cyber incident response – something every organization must prioritize today.
By 21 February 2023, Royal Mail had restarted international parcel and letter deliveries through Post Office branches almost six weeks after revealing the cyber incident. However, the company warned delivery might take slightly longer than before, and the tracking information available to customers might differ.
It also asked people sending items that require a customs declaration to buy online, through shipping solutions partners, or over the counter rather than using postage stamps or meters.
Post-Incident Recovery for Royal Mail
While Royal Mail services are back running at total capacity, the company is poised to face another round of strikes by its 115,000 postal workers in a long-running dispute over pay and conditions. Members of the Communications Workers Union (CWU) voted overwhelmingly to strike after 18 days of action last year. No dates for further stoppages have yet been set.
The company has said it is losing £1m a day and warned that up to 10,000 jobs needed to be cut by August 2023 as part of a restructuring program to refocus the business on the booming parcel delivery sector, as UK letter volumes continue to decline.
Effect of The Incident on The Royal Mail
The attack significantly impacted Royal Mail's operations and customer trust. The company had to resort to manual processes, resulting in longer customer waiting times. The attack also affected the customer trust of an organization that has built its reputation over 500 years.
The Royal Mail ransomware attack underlined the need for better ransomware readiness more than anything else.
Royal Mail needed help handling international mail or parcels through its 11,500 post office branches across the UK. The company worked tirelessly in partnership with the Post Office to reinstate all international services via the branch network.
The Post Office provided branch operators additional remuneration for handling international items in the form of a fixed payment for each transaction and an additional commission for all Royal Mail international labels sold in branches during February and March.
Lessons We Can Learn from The Royal Mail Cyber Incident
The Royal Mail ransomware attack serves as a wake-up call for organizations to take cybersecurity threats seriously and implement measures to protect themselves immediately. By learning from this incident and taking proactive measures, businesses can significantly reduce their risk of falling victim to a ransomware attack.
More importantly, they can ensure that if they are attacked, they can recover from it with minimum possible damage. Smaller businesses may never recover from such incidents. This is why taking a hard look at your Ransomware Readiness and Ransomware Mitigation Plans is imperative.
Cybersecurity experts can help you evaluate your cybersecurity posture and help you build defenses against crippling ransomware attacks. They can also help you conduct Ransomware Tabletop exercises that can help you build responses to actual attacks.
Who Was Responsible for The Royal Mail Cyber Incident?
The LockBit ransomware gang, linked to Russia, was identified as the threat actor behind the attack. Initially, the gang tried to deny responsibility, saying that an unsanctioned operator had carried out the attack using a leaked copy of its source code.
It later pivoted and claimed that an affiliate had attacked Royal Mail without knowledge. Subsequently, the gang did take responsibility, and last week, it leaked a copy of the chat transcript between its operatives and a negotiator working on Royal Mail's behalf.
The transcript revealed that the postal service refused to pay a £66m (approximately $82m) ransom demand, saying it was an “absurd amount of money.” Royal Mail has steadfastly declined to comment on the accuracy of the transcript.
Final Thoughts on The Royal Mail Cyber Incident
The Royal Mail cyber incident is a stark reminder of the cyber threats businesses face in the digital age. The attack not only disrupted the company's operations but also had a significant impact on its reputation and customer trust.
However, Royal Mail's response to the incident, including its refusal to pay the ransom and its efforts to restore services, demonstrates a strong stance against cyber threats. The incident underlines the growing importance of ransomware readiness for organizations of all sizes and sectors across the globe.
Businesses must learn from such incidents and take proactive measures to protect themselves from similar threats in the future.
