Royal Mail’s parent organisation International Distributions Services plc (IDS) has revealed it spent a total of £10m in the six months to 24 September on remediation and systems resilience improvement in the wake of a LockBit ransomware attack on its systems.
The incident, which IDS is now referring to as a cyber attack specifically on IT systems at its Heathrow Worldwide Distribution Centre, unfolded in January 2023.
This 25-acre facility in Langley, near Slough in Berkshire handles almost all mail entering and leaving the UK, and the attack caused chaos across the country leaving consumers and businesses alike unable to send and receive parcels.
The postal service was eventually able to recover its export services, over a month later, but not before the disruption spilled over into its sister business, the Post Office, which ended up compensating postmasters for their lost business.
In the meantime, the LockBit ransomware cartel, which initially disclaimed all responsibility for the incident, eventually came clean, and later, driven to frustration by Royal Mail’s refusal to pay an “absurd” £66m ransom, leaked data including technical information, contracts with third-party suppliers, human resources and staff disciplinary record, salary and overtime details, and even Covid-19 vaccination records.
For obvious reasons, IDS did not provide details of how or on what it spent its increased cyber security budget, but SecurityScorecard CISO Steve Cobb highlighted some core areas that were likely a focus.
“Remediation could include activities like system recovery and rebuild. Ransomware infections will many times leave systems unusable, so they must be rebuilt from scratch and this could include purchasing new hardware and new virtual services,” he said.
“After ransomware events, organisations are usually looking to improve their identity access management [IAM] programmes, which could include implementing or strengthening MFA, SSO, and/or Active Directory [AD] hardening. Inevitably in a ransomware event, identity was compromised at some point along the way, so this is a focus.
“Lots of recent ransomware events have involved initial access occurring in a cloud environment and the attacker pivots to an on-premise infrastructure that allows for the broad distribution of their ransomware, so they are probably investing in cloud security technologies to better detect threats and respond quicker.
“They could also be investing in resources. We see many of these victims who have a mature security programme, but it is not monitored and maintained as it should be because they are understaffed or have staff inexperienced with hardening systems to protect from threats like ransomware,” said Cobb.
The £10m spent on improved cyber resilience contributed to an increase in year-on-year (YoY) infrastructure costs of 5.6% in IDS’ latest financial statements, but overall, non-people costs of which infrastructure forms a part declined by 0.5%.
It is likely that this fall can to some extent be attributed to the cyber attack, with IDS saying it had seen significantly lower international mail volumes leading to lower overseas conveyance costs and lower terminal dues.
Other operating costs were also down, driven both by cost-cutting activities and lower volume related costs of commission paid to the Post Office, linked to lower traffic through its branches.
A fall in parcel volumes of 5% and parcel revenues of 6.5% is also clearly, though not wholly, attributable to the cyber attack, as Royal Mail also saw significant strike action at times, as well as a generally tough economic climate.
However, the £10m of extra spend did not help the overall picture, with IDS as a whole falling to a £243m operating loss in the half-year to 24 September, compared to an operating loss of £157m in the year-ago period, on total revenues of £5.86bn, roughly flat on last year.
Royal Mail specifically made a loss of £319m during the period, compared to £219m in the same period of 2022, on revenues of £3.54bn, down 2.9% on 2022.
IDS CEO Martin Seidenberg said the organisation was making good progress on its turnaround plan, but called for more assistance from Westminster.
“We are transforming our business every day, but we can’t do it all on our own. We also need the regulator [Ofcom] and the government to do their bit. It’s simply not sustainable to maintain a network built for 20 billion letters when we’re now only delivering seven billion,” he said.
“The UK is not immune to the trends that we see across the world. Many other comparable countries have already reformed their Universal Service, and the UK is getting left behind. We welcome the fact that Ofcom will be reviewing options for the Universal Service, but the need for reform is urgent.”
Read more about the attack on Royal Mail
- 11 January 2023: UK postal service Royal Mail is asking customers not to send any overseas letters or parcels while it deals with the impact of an ongoing cyber attack.
- 13 January: The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation.
- 17 January: Royal Mail CEO Simon Thompson apologises to customers whose businesses are being disrupted by a ransomware attack and promises a “workaround” will be in place in the near future.
- 19 January: Royal Mail has resumed limited international services after putting in place operational workarounds to bypass the impact of a ransomware attack.
- 23 January: Royal Mail asks customers to hold back from sending post overseas as some services get back on track, while a report warns that disruptive attacks on critical infrastructure are set to become more common.
- 26 January: Royal Mail has successfully stood up its International Tracked and Signed, and International Signed, services as it continues to recover from a ransomware attack.
- 31 January: Royal Mail is making further progress in recovering IT systems hit by a ransomware attack, and has re-enabled another tranche of international export services.
- 6 February: Royal Mail has restored almost all of its international services to some extent, but remains unable to accept parcels bought over the counter in a Post Office branch.
- 7 February: The LockBit ransomware gang claims it has stolen sensitive data from Royal Mail and will leak it later this week if its demands go unmet.
- 15 February: Leaked chat logs reveal Royal Mail has supposedly refused to pay a £66m ransom demand from the LockBit ransomware gang.
- 21 February: Royal Mail resumes the last of its international services as it recovers from a ransomware attack, while the Post Office offers postmasters compensation for their lost business.
- 24 February: The LockBit ransomware gang has made good on its threat to leak data exfiltrated from Royal Mail’s systems, but the postal service is not entertaining the possibility of giving in.