Getty Images

Royal Mail stands firm as LockBit leaks data and renews ransom demand

The LockBit ransomware gang has made good on its threat to leak data exfiltrated from Royal Mail’s systems, but the postal service is not entertaining the possibility of giving in

The LockBit ransomware gang has leaked a tranche of data exfiltrated from Royal Mail’s IT systems during its January 2022 cyber attack, and set a fresh ransom demand of £33m as it renews its efforts to force the postal service to cough up.

The prolific Russian-speaking ransomware operation had previously set a £66m ransom demand – which Royal Mail rejected as an “absurd” amount of money – before dropping it to approximately £47m.

It cut off negotiations with the postal service on or around 9 February but, despite its initial threats, did not release any of the data it stole until 23 February, when a 44GB dump was leaked via its dark web site.

According to preliminary analysis, the contents of the files relate to various parts of Royal Mail’s business, and include technical information, contracts with third-party suppliers, human resource and staff disciplinary records, details of salaries and overtime payments, and even one staff member’s Covid-19 vaccination records.

A Royal Mail spokesperson said: “Royal Mail is aware that an unauthorised third party has published some data allegedly obtained from our network. The cyber incident impacted a system concerned with shipping mail overseas.

“At this stage of the investigation, we believe that the vast majority of this data is made up of technical program files and administrative business data. All of the evidence suggests that this data contains no financial information or other sensitive customer information. We continue to work closely with law enforcement agencies,” they said.

The impact of the January attack on Royal Mail’s customers has now largely passed, with the last remaining international services through Post Office branches restored earlier this week.

At the peak of disruption, the organisation was entirely unable to process or dispatch any letters or parcels to destinations outside the UK, leaving many small business owners who rely on its services to ship goods to customers overseas in an extremely difficult position.

At the time of writing, Royal Mail said it was currently processing “close to normal” daily volumes of mail, with some residual delays, and while things are returning to normal, it is possible that customers may still encounter some issues when sending letters and parcels abroad over the coming days and weeks.

The Post Office, meanwhile, has said it will increase remuneration for postmasters for a time to help them recover some of the business they lost to the service disruption.

Tim Mitchell, security researcher and LockBit thematic lead at Secureworks, commented: “The majority of attacks on organisations by gangs like LockBit are opportunistic, exploiting a vulnerability or stolen credentials and grabbing whatever data they can regardless of what it is. But it’s important to remember that even if the data doesn’t contain PII [personally identifiable information] or what Royal Mail would consider sensitive, it could still be valuable to threat actors.

“Royal Mail might not deem the data that was stolen, and has now been published, as sensitive, but that didn’t stop its international operations being significantly impacted for six weeks. Regardless of the financial ransom demand, the operational pain that LockBit has caused the business is proof of the damage ransomware can inflict on an organisation,” said Mitchell.

Read more about the attack on Royal Mail

Read more on Data breach incident management and recovery

Data Center
Data Management