The January 2023 ransomware attack on Royal Mail has further exposed the parlous state of the company’s infrastructure, all while it battles for survival in an ultra-competitive marketplace.
Ever since the loss of its 350-year monopoly in 2006, the once imperious courier has been beset by strife, with reported losses of £1m a day and a restive workforce staging strikes in a long-running, bitter standoff with management.
The attack could not have come at a worse time for Royal Mail, yet the company is the architect of its own misfortune; after swingeing cost-cutting measures which may have saw its cyber security budget slashed, the company may have left itself wide open to such a calamity occurring.
Hackers from the notorious, Russia-linked LockBit group managed to bypass Royal Mail’s security and disable internal systems to such an extent that the company was unable to make any international deliveries of parcels and letters.
At the same time, LockBit stole tranches of data from Royal Mail servers which it threatened to publicly release unless the company paid an eye-watering £66m ransom.
It was a nightmare come true for management, as well as for the company’s staff and customers, yet it may have been prevented had the firm taken serious pre-emptive and precautionary measures to thwart such a scenario taking shape.
At the time of Royal Mail’s privatisation in 2013, critics warned of the dangers of the state relinquishing an asset of such vital national importance and leaving it at the mercy of profit-thirsty management and investors.
Given Royal Mail’s critical role in daily life for millions of citizens and thousands of businesses alike. In the brave new world of the internet age, far more was at stake than a carriage-load of cash in the bygone era of the Great Train Robbery.
In the decade that followed, the threat posed to businesses by cyber criminal outfits grew exponentially in tandem with the level of sophistication and hacking tools that nefarious actors could deploy.
The devastation caused to critical infrastructure in previous high-profile attacks on other businesses should have spurred Royal Mail management to spend even more money beefing up security. Instead, it is assumed that the opposite occurred, as the company sought short-term ways to save money.
Now, in the wake of the LockBit attack, it will be only too apparent to those at the company’s helm that such a thrifty approach was a false economy as they face the consequences of the hack on their balance sheet.
In the immediate term, they are faced with the prospect of paying a substantial sum to finally rid themselves of LockBit’s unwanted presence and move on from the affair. At the same time, the devastating impact of the hack on Royal Mail’s day-to-day delivery business for a six-week period will also hit the firm hard in the pocket.
Adding insult to injury, the company also faces the possibility of massive fines from the Information Commissioner’s Office (ICO) thanks to the data breaches caused by LockBit’s release of the stolen material.
The ICO can issue monetary fines to firms of up to 4% of annual turnover as punishment for such breaches which, if applied in Royal Mail’s case, would be another hammer blow to its already perilous financial position.
Royal Mail denounced the initial ransom demand as “absurd”, and its negotiators took a similarly dismissive stance in communications with their LockBit counterparts.
The only urgent request Royal Mail made to the hackers was to decrypt files relating to medical equipment it had been tasked with transporting, in order that the attack did not end up costing lives if the goods could not be delivered.
Royal Mail’s involvement in such critical areas as medicine and health underscores its national importance, but at the same time serves as a reminder that the company has a keen duty to properly protect its infrastructure, given its crucial role in life-or-death shipments.
Having refused to accede to LockBit’s demands, Royal Mail managed to resume international operations without the hackers’ assistance, but their intransigence led to LockBit coming good on their promise to release data stolen during the attack.
On 23 February 23, 44GB of data was published, including confidential records and information about Royal Mail employees, leaving the company exposed to potential compensation claims on top of potential ICO fines.
LockBit is still demanding a huge £33m ransom despite the release of the data, implying that either it has more sensitive data in its possession or that its decryption tools remain vital for Royal Mail to fully return to business as usual.
Royal Mail’s predicament should serve as a cautionary tale to all other businesses who are considering cutting back on their cyber security spend. Data security should always be put before profit, primarily to ensure the safety of employees and customers, but also to avoid the crippling costs associated with an attack such as LockBit’s.
Cyber security is an area where corners simply cannot be cut; as hackers continue to expand their skillsets and reach, companies must up their own data security game in response.
Prevention is always better than the cure, as Royal Mail has now found out the hard way.
Simon Ridding is a senior associate at Keller Postman UK, focusing primarily on privacy and competition. He was worked on multiple class actions relating to high-profile data breaches.