On January 11, Royal Mail announced that a “cyber incident” sparked significant disruption to its international exports. The British postal service asked its customers to refrain from mailing any international items while it worked through the incident.
On January 19, the company released a service update with the news that it “started moving limited volumes of export parcels.” Customers were able to send international letters beginning the day prior, but Royal Mail continued to request its customers not attempt to mail any new export parcels through its network.
Thus far, few details on the nature of the cyber incident have been made available. “Any number of malicious actions conducted by cybercriminals or nation-state actors can disrupt computer systems that are critical for complex operations like mail logistics,” Adam Flatley, vice president of threat intelligence at cybersecurity company [redacted] and former director of operations at the National Security Agency (NSA), tells InformationWeek.
LockBit ransomware is suspected in connection to the Royal Mail incident, though it has yet to be confirmed, according to a TechCrunch news report.
“LockBit often targets insiders as a way of hacking systems. While we don’t know yet if this is the case for Royal Mail, we know the hacking group’s attack on Accenture in 2021 was thought to have been enabled by an insider. This could be anything from entering the supply chain through a network/API or even paying a disgruntled employee,” says Jonathan Wood, founder and CEO of risk management platform C2 Cyber.
The mail carrier delivered 152 million international parcels in the year ending March 2022, according to its 2021-2022 annual report. Though a small fraction of its overall parcel volume for the year, the consequences of the breach are likely wide-reaching.
“The disruptions caused by this incident are indicative that international, physical supply chains can most certainly be disrupted by cyberattacks, which can be costly, time consuming and have a direct impact on business operations beyond the directly targeted organization,” says Alexander Heid, chief research and development officer with cybersecurity risk management company SecurityScorecard.
Mounting Mail Backlog
While the mail carrier trials operational workarounds and recovers from the incident, it will likely have to contend with a mounting backlog.
“The sheer scale of Royal Mail’s international delivery service means it’s incredibly likely that customers from around the world may not receive the right communications about the stop-in service. They will continue trying to send parcels, with package mountains building up at local depots and a huge backlog (and likely claims) to contend with once the service resumes,” says Wood.
Whether or not Royal Mail will face any type of regulatory consequences will depend on a number of issues. “The important factors in any sort of regulator consequences are based on whether all the right steps were taken to the best of an organization's ability and knowledge (in conforming with the requirements) and whether the incident was disclosed in a timely manner,” says Sanjay Raja, vice president of product marketing and solutions at cybersecurity company Gurucul. “If both of those hold true, then it shows that the organization, in this case, Royal Mail, followed the rules and regulations as best as possible. If not, then a fine will surely ensue.”
Wood contends that the delay in resuming international service could play a role in potential regulatory action. “Given the service has not resumed a week after the cyber incident, it’s likely Royal Mail does not have an adequate backup system in place and so will be fined for not being able to reinstate and deliver this critical service,” he says.
Royal Mail is working with external experts to investigate the incident, and it reported the incident to regulatory and security authorities, according to the company’s January 19 statement. While the exact nature of the incident remains unknown, lessons can be learned from yet another disruptive cyber event.
“The biggest lesson is that we can't continue to try to solve the cybersecurity problem with a purely defensive mindset. We need to move forward with an approach that blends together the approaches of preventing what is preventable, responding quickly and effectively to what is not preventable and actively hunting down malicious cyber actors,” Flatley says.