Subpostmaster federation hit by ransomware attack

The National Federation of Subpostmasters (NFSP) was hit by a ransomware attack after a bug was exploited in its web hosting provider’s software.

The attack is still causing technical problems, with emails between the Post Office and the NFSP “paused”, said the Post Office.

On 30 April, days after a bug in software from web hosting company cPanel was discovered and exploited by hackers, the NFSP was targeted.

The affected software, the cPanel web‑based hosting control panel, is used to manage servers and websites. In April, the provider released a security advisory to address a critical vulnerability affecting its software.

“The cPanel attack resulted in our website having a ransomware attack, with the attackers making demands for release of our files,” said NFSP CEO Calum Greenhow. He said the ransomware attack has been reported to the Information Commissioner’s Office (ICO), adding that his IT team had confirmed that no data was lost during the attack. He told Computer Weekly he has just received a report on the issue and is “still trying to get to the bottom of it”.

Ransomware is malware that locks and encrypts a victim’s data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment.

According to reports, tens of thousands of servers were likely compromised as a result of the cPanel vulnerability.

Computer Weekly learned of the ransomware attack on the NFSP after subpostmasters received warnings from the Post Office that a security issue was affecting emails to and from the federation.

The Post Office’s chief information security officer (CISO) wrote to subpostmasters, warning them of a security issue affecting the NFSP that has forced it to pause emails.

A Post Office spokesperson told Computer Weekly: “Following a recent security incident experienced by an external supplier, we have taken the precaution of temporarily suspending some interactions and integrations between the Post Office and the affected supplier. The Post Office is managing the incident in accordance with its cyber security incident management processes and is working with the impacted party.”

The spokesperson added that branch operations are not impacted, and that no compromise of Post Office networks or applications has been identified.

In his initial correspondence with subpostmasters on 22 May, CISO Neil Bennett wrote: “Following a recent security issue involving an external organisation, we have taken the precaution of temporarily pausing inbound and outbound email between the Post Office and [NFSP].

He said emails sent to @nfsp.org.uk will not be delivered and senders won’t receive an automatic bounceback. He added that emails from @nfsp.org.uk will not reach the inbox during this period.

“Please don’t email @nfsp.org.uk addresses until further notice,” he wrote.

Bennett warned subpostmasters not to try to work around the pause via insecure means of electronic communication, such as personal email, text or WhatsApp.

“If required, you may engage in telephone calls with NFSP stakeholders, but please ensure you validate their identity before discussing anything potentially sensitive, such as turning on cameras,” he advised.

In an update on 2 June, Bennett said the issue remains ongoing and that there has been no change to prior guidance.