LockBit ransomware group threatens to publish stolen Royal Mail data

The Russian-linked LockBit ransomware gang has claimed responsibility for the Royal Mail cyberattack and is threatening to publish the data it stole from the U.K. postal giant.

Royal Mail, which has been battling a cyberattack since January 10, was added to LockBit’s dark web leak site on Monday. The listing, seen by TechCrunch, doesn’t say how much or what types of data have been stolen from Royal Mail, but LockBit is threatening to publish “all available data” on February 9. This suggests that the ransomware gang’s ransom demand — the amount of which remains unknown — has not been paid.

Royal Mail listed on LockBit's dark web leak site

A listing on LockBit’s leak site says the ransomware group will publish the stolen data in days. Image Credits: TechCrunch (screenshot)

Royal Mail has yet to acknowledge the LockBit ransomware attack, but Royal Mail spokesperson Mark Street told TechCrunch that the company is aware that “an unauthorized third-party has said it plans to publish some data allegedly obtained from our network.” Street added that Royal Mail believes the “vast majority of this data is made up of technical program files and administrative business data,” adding that “all of the evidence suggests that this data contains no financial information or other sensitive customer information.”

Royal Mail’s chief executive previously said it was believed that no customer data had been stolen as part of the attack.

LockBit’s public-facing representative LockBitSupp, who previously denied involvement in the Royal Mail attack and blamed it on other threat actors using LockBit’s leaked builder, did not respond to TechCrunch’s questions.

The Information Commissioner’s Office, the U.K.’s data watchdog, confirmed to TechCrunch that it had been made aware of the incident. “Royal Mail has made us aware of an incident and we will be making enquiries,” said an ICO spokesperson, who did not provide their name.

Royal Mail said it continues to experience service disruption as a result of the incident, now more than a month ago. In an update dated February 7, the company said that while it continues to “make progress” by using alternative solutions and systems not affected by the cyberattack, it remains unable to process international parcels at Post Office branches across the United Kingdom.

“Royal Mail is still asking customers to buy postage online before heading to their Post Office branch to drop off their items, as it remains unable to process any new parcels bought over the counter,” the company said. “Our teams are continuing to work around the clock to reinstate remaining export services as quickly as we can.”

Some reports claimed that Royal Mail was the target of ransomware that compromised machines used to print customs labels for parcels sent to overseas destinations.

Royal Mail ships to more than 200 countries and territories, and sent about 200,000 parcels overseas every day last year, according to the BBC.

The latest development in the Royal Mail cyberattack comes just days after LockBit claimed responsibility for a ransomware attack on Ion Group, a Dublin-based software company that helps financial institutions automate their critical business processes. A representative for LockBit told Bloomberg that the ransom was paid and that the gang had provided a decryption key to unlock the compromised computers. Ion spokesperson Suezelle D’Costa declined to comment when approached by TechCrunch.