Royal Mail spent £10m on cyber measures after LockBit attack

Royal Mail’s parent organisation International Distributions Services plc (IDS) has revealed it spent a total of £10m in the six months to 24 September on remediation and systems resilience improvement in the wake of a LockBit ransomware attack on its systems.

The incident, which IDS is now referring to as a cyber attack specifically on IT systems at its Heathrow Worldwide Distribution Centre, unfolded in January 2023.

This 25-acre facility in Langley, near Slough in Berkshire handles almost all mail entering and leaving the UK, and the attack caused chaos across the country leaving consumers and businesses alike unable to send and receive parcels.

The postal service was eventually able to recover its export services, over a month later, but not before the disruption spilled over into its sister business, the Post Office, which ended up compensating postmasters for their lost business.

In the meantime, the LockBit ransomware cartel, which initially disclaimed all responsibility for the incident, eventually came clean, and later, driven to frustration by Royal Mail’s refusal to pay an “absurd” £66m ransom, leaked data including technical information, contracts with third-party suppliers, human resources and staff disciplinary record, salary and overtime details, and even Covid-19 vaccination records.

For obvious reasons, IDS did not provide details of how or on what it spent its increased cyber security budget, but SecurityScorecard CISO Steve Cobb highlighted some core areas that were likely a focus.

“Remediation could include activities like system recovery and rebuild. Ransomware infections will many times leave systems unusable, so they must be rebuilt from scratch and this could include purchasing new hardware and new virtual services,” he said.

“After ransomware events, organisations are usually looking to improve their identity access management [IAM] programmes, which could include implementing or strengthening MFA, SSO, and/or Active Directory [AD] hardening. Inevitably in a ransomware event, identity was compromised at some point along the way, so this is a focus.

“Lots of recent ransomware events have involved initial access occurring in a cloud environment and the attacker pivots to an on-premise infrastructure that allows for the broad distribution of their ransomware, so they are probably investing in cloud security technologies to better detect threats and respond quicker.

“They could also be investing in resources. We see many of these victims who have a mature security programme, but it is not monitored and maintained as it should be because they are understaffed or have staff inexperienced with hardening systems to protect from threats like ransomware,” said Cobb.

The £10m spent on improved cyber resilience contributed to an increase in year-on-year (YoY) infrastructure costs of 5.6% in IDS’ latest financial statements, but overall, non-people costs of which infrastructure forms a part declined by 0.5%.

It is likely that this fall can to some extent be attributed to the cyber attack, with IDS saying it had seen significantly lower international mail volumes leading to lower overseas conveyance costs and lower terminal dues.

Other operating costs were also down, driven both by cost-cutting activities and lower volume related costs of commission paid to the Post Office, linked to lower traffic through its branches.

A fall in parcel volumes of 5% and parcel revenues of 6.5% is also clearly, though not wholly, attributable to the cyber attack, as Royal Mail also saw significant strike action at times, as well as a generally tough economic climate.

However, the £10m of extra spend did not help the overall picture, with IDS as a whole falling to a £243m operating loss in the half-year to 24 September, compared to an operating loss of £157m in the year-ago period, on total revenues of £5.86bn, roughly flat on last year.

Royal Mail specifically made a loss of £319m during the period, compared to £219m in the same period of 2022, on revenues of £3.54bn, down 2.9% on 2022.

IDS CEO Martin Seidenberg said the organisation was making good progress on its turnaround plan, but called for more assistance from Westminster.

“We are transforming our business every day, but we can’t do it all on our own. We also need the regulator [Ofcom] and the government to do their bit. It’s simply not sustainable to maintain a network built for 20 billion letters when we’re now only delivering seven billion,” he said.

“The UK is not immune to the trends that we see across the world. Many other comparable countries have already reformed their Universal Service, and the UK is getting left behind. We welcome the fact that Ofcom will be reviewing options for the Universal Service, but the need for reform is urgent.”