Royal Mail ransomware attack result of putting profit before security

[TrueBlueTerrier]

https://www.computerweekly.com/opinion/ ... e-security

The LockBit ransomware attack on Royal Mail was more severe thanks to long-running underinvestment in the privatised service, argues Simon Ridding of law firm Keller Postman

The January 2023 ransomware attack on Royal Mail has further exposed the parlous state of the company’s infrastructure, all while it battles for survival in an ultra-competitive marketplace.

Ever since the loss of its 350-year monopoly in 2006, the once imperious courier has been beset by strife, with reported losses of £1m a day and a restive workforce staging strikes in a long-running, bitter standoff with management.

The attack could not have come at a worse time for Royal Mail, yet the company is the architect of its own misfortune; after swingeing cost-cutting measures which may have saw its cyber security budget slashed, the company may have left itself wide open to such a calamity occurring.

Hackers from the notorious, Russia-linked LockBit group managed to bypass Royal Mail’s security and disable internal systems to such an extent that the company was unable to make any international deliveries of parcels and letters.

At the same time, LockBit stole tranches of data from Royal Mail servers which it threatened to publicly release unless the company paid an eye-watering £66m ransom.

It was a nightmare come true for management, as well as for the company’s staff and customers, yet it may have been prevented had the firm taken serious pre-emptive and precautionary measures to thwart such a scenario taking shape.

At the time of Royal Mail’s privatisation in 2013, critics warned of the dangers of the state relinquishing an asset of such vital national importance and leaving it at the mercy of profit-thirsty management and investors.

Given Royal Mail’s critical role in daily life for millions of citizens and thousands of businesses alike. In the brave new world of the internet age, far more was at stake than a carriage-load of cash in the bygone era of the Great Train Robbery.

In the decade that followed, the threat posed to businesses by cyber criminal outfits grew exponentially in tandem with the level of sophistication and hacking tools that nefarious actors could deploy.

The devastation caused to critical infrastructure in previous high-profile attacks on other businesses should have spurred Royal Mail management to spend even more money beefing up security. Instead, it is assumed that the opposite occurred, as the company sought short-term ways to save money.

Now, in the wake of the LockBit attack, it will be only too apparent to those at the company’s helm that such a thrifty approach was a false economy as they face the consequences of the hack on their balance sheet.

In the immediate term, they are faced with the prospect of paying a substantial sum to finally rid themselves of LockBit’s unwanted presence and move on from the affair. At the same time, the devastating impact of the hack on Royal Mail’s day-to-day delivery business for a six-week period will also hit the firm hard in the pocket.

Adding insult to injury, the company also faces the possibility of massive fines from the Information Commissioner’s Office (ICO) thanks to the data breaches caused by LockBit’s release of the stolen material.

The ICO can issue monetary fines to firms of up to 4% of annual turnover as punishment for such breaches which, if applied in Royal Mail’s case, would be another hammer blow to its already perilous financial position.

Royal Mail denounced the initial ransom demand as “absurd”, and its negotiators took a similarly dismissive stance in communications with their LockBit counterparts.

The only urgent request Royal Mail made to the hackers was to decrypt files relating to medical equipment it had been tasked with transporting, in order that the attack did not end up costing lives if the goods could not be delivered.

Royal Mail’s involvement in such critical areas as medicine and health underscores its national importance, but at the same time serves as a reminder that the company has a keen duty to properly protect its infrastructure, given its crucial role in life-or-death shipments.

Having refused to accede to LockBit’s demands, Royal Mail managed to resume international operations without the hackers’ assistance, but their intransigence led to LockBit coming good on their promise to release data stolen during the attack.

On 23 February 23, 44GB of data was published, including confidential records and information about Royal Mail employees, leaving the company exposed to potential compensation claims on top of potential ICO fines.

LockBit is still demanding a huge £33m ransom despite the release of the data, implying that either it has more sensitive data in its possession or that its decryption tools remain vital for Royal Mail to fully return to business as usual.

Royal Mail’s predicament should serve as a cautionary tale to all other businesses who are considering cutting back on their cyber security spend. Data security should always be put before profit, primarily to ensure the safety of employees and customers, but also to avoid the crippling costs associated with an attack such as LockBit’s.

Cyber security is an area where corners simply cannot be cut; as hackers continue to expand their skillsets and reach, companies must up their own data security game in response.

Prevention is always better than the cure, as Royal Mail has now found out the hard way.

Simon Ridding is a senior associate at Keller Postman UK, focusing primarily on privacy and competition. He was worked on multiple class actions relating to high-profile data breaches.

Timeline of the attack on Royal Mail

11 January: UK postal service Royal Mail is asking customers not to send any overseas letters or parcels while it deals with the impact of an ongoing cyber attack.

13 January: The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation.

17 January: Royal Mail CEO Simon Thompson apologises to customers whose businesses are being disrupted by a ransomware attack and promises a “workaround” will be in place in the near future.

19 January: Royal Mail has resumed limited international services after putting in place operational workarounds to bypass the impact of a ransomware attack.

23 January: Royal Mail asks customers to hold back from sending post overseas as some services get back on track, while a report warns that disruptive attacks on critical infrastructure are set to become more common.

26 January: Royal Mail has successfully stood up its International Tracked and Signed, and International Signed, services as it continues to recover from a ransomware attack.

31 January: Royal Mail is making further progress in recovering IT systems hit by a ransomware attack, and has re-enabled another tranche of international export services.

6 February: Royal Mail has restored almost all of its international services to some extent, but remains unable to accept parcels bought over the counter in a Post Office branch.

7 February: The LockBit ransomware gang claims it has stolen sensitive data from Royal Mail and will leak it later this week if its demands go unmet.

15 February: Leaked chat logs reveal Royal Mail has supposedly refused to pay a £66m ransom demand from the LockBit ransomware gang.

21 February: Royal Mail resumes the last of its international services as it recovers from a ransomware attack, while the Post Office offers postmasters compensation for their lost business.

24 February: The LockBit ransomware gang has made good on its threat to leak data exfiltrated from Royal Mail’s systems, but the postal service is not entertaining the possibility of giving in.

[jimmy76]

I was actually affected by this whole situation.

My whole Personal Medical Record was obtained by the hackers and posted online on 'The Dark Web'. I believe roughly 200 employees from my office were similarly affected.

I was informed by my Line Manager at the time, who basically compared my details being leaked, to having a broken arm and everyone outside being able to physically see my condition or disability...

I should have obviously have been protected by my office and company.

I am still dwelling on what possible action to take after being in contact with a solicitor.