Royal Mail Ransomware Attack: Delivering a Questionable Incident Response
Many have been quick to reprehend Royal Mail for its handling of the recent cyber attack. Gordon Smith analyses the response to deliver a verdict on Royal Mail’s operation
Author: Gordon Smith
In January 2023, Royal Mail was hit by a cyber attack and, according to a leaked communication log between Royal Mail and the LockBit hacking group, a ransomware demand of £65m. Many have been quick to reprehend the British postal organisation for its handling of the incident. Gordon Smith analyses the response to deliver a verdict on Royal Mail’s operation
Nature abhors a vacuum, and social media isn’t overly fond of one either. This is why, after Royal Mail experienced a technical issue with its parcel tracking system on 11 January 2023, warning of “severe service disruption”, customers quickly made their feelings known.
David McDonald, the owner of a vinyl records business, took to Twitter to vent about the lack of detail. “I have seen more information about Iron Maiden stamps than I have about the disastrous cyber attack that is crippling small businesses,” he tweeted. Donna Léoni wrote: “Usually I would sympathise, but the updates received have been abysmal.”
There was reported “chaos” at the Royal Mail Heathrow distribution centre, one of six affected sites, with all computers off and no scanners for tracking and tracing international parcels working.
The disruption caused some clients to take their business to rival logistics companies. This was all playing out as more than 100,000 Royal Mail workers had been striking over pay and conditions.
The BBC’s cybersecurity reporter, Joe Tidy, questioned why Royal Mail kept referring to the issue as a “cyber incident”, even after journalists had independently confirmed it was a ransomware infection. “As a private company, it is required to keep the authorities and regulators informed about the situation, but it has chosen to say very little to the public,” he critiqued.
Fresh updates from Royal Mail were as slow to arrive as the delayed post crawling into the UK. A basic message appeared on the Royal Mail website for days, advising customers to stop sending letters and parcels overseas. The only update made was the date. Royal Mail spokespeople declined to comment. A week later, the company announced it was working through the backlog of parcels for international postage and asked the public to hold off sending any new ones.
Royal Mail’s CEO, Simon Thompson, later told a parliamentary committee that it was a cyber attack rather than a cyber incident, but he didn’t divulge any specifics.
Royal Mail’s response contrasts with ransomware victims like Maersk, the world’s largest shipping operator, and Norsk Hydro, the aluminium and renewables company. And by contrasts, we mean ‘is inferior to.’ For example, when Maersk and Norsk Hydro were infected in 2017, both companies communicated what was happening clearly and gave regular updates as they worked through their recovery plans.
In May 2021, Ireland’s Health Service Executive (HSE) was hit by ransomware that prevented patients from making appointments and forced many hospitals to use paper records. “Within 12 hours of the outbreak, the CEO of the HSE was on the morning news giving as much detail as he could and saying it was a ransomware attack, and [explaining] what the situation was,” says Brian Honan, a former special advisor on cybersecurity to Europol and CEO of BH Consulting, an independent cybersecurity firm.
Case for the prosecution
Does Royal Mail’s comparative silence make it guilty of the worst incident response ever? The court of public opinion might point an accusing finger, but experts say the verdict isn’t clear-cut.
Professor Ciaran Martin of the University of Oxford doesn’t comment on specific cases, but as the former head of the UK’s National Cyber Security Centre, he’s familiar with large-scale cyber incidents.
“What people normally care about is the impact. The fact that it’s a cyber incident is secondary to the customer or service user,” Prof Martin says. “Essentially, disruptive ransomware attacks fall into two categories – is there an obvious impact that you can’t hide, or isn’t there? A big professional services firm may not notice an effect on its customer-facing services. But in a case like the HSE where anyone who wanted to get a hospital appointment suddenly couldn’t, well, that’s going straight to the media.”
Royal Mail operates a highly visible part of a critical supply chain, where any significant shock soon becomes obvious. For context, the group’s UK parcels, international and letters segment delivered close to 1.4 billion packages in the financial year 2020 to 2022.
With data breaches and security incidents an increasing fact of business life, the focus shifts from pure prevention to reacting effectively when the manure strikes the air conditioning unit, and a lot of this comes down to preparation.
A crucial part of incident response should be how the victim explains what happened. Brian Honan calls this ‘Honan’s law’. “You won’t be judged for having a security breach, [but] you will be judged for how you respond to it. In the majority of cases, it’s not the technical aspect of the response that comes under criticism; it’s the communications and PR side of the response that lets companies down.”
“With a lack of solid communications and facts coming from an affected organisation, the media are under pressure to write a story and in the absence of official communication from the victim organisation, they might publish speculation. And it’s the same with social media where rumours could be amplified,” Honan says.
In the immediate aftermath of a major incident, however, the situation can be anything but straightforward, which makes it hard to assess precisely how much information to share with stakeholders. It’s not a good look when a CEO has to go back and change a definitive statement like “customer data was not affected” if it later emerges that it was.
Mind your language
Joseph Carson, chief security scientist and advisory CISO at Delinea, is a veteran of multiple ransomware investigations. “Sometimes what happens in an investigation [means] you’re learning new things every day,” he says. “It’s really important while being honest and transparent in providing solid communications, that it has to be based on facts, hard evidence and not assumptions. Don’t say things you don’t know. That’s where you lose trust.”
Royal Mail may also have had good reasons for choosing the more general term ‘cyber incident’ in its early communications. Carson says that investigations often reveal other criminal activity the victim wasn’t aware of.
“Ransomware is just one component of a security event. Ransomware is the impact, the financial portion. A cyber incident typically deals with unauthorised access, potentially data theft, or installing other types of malicious software, so I prefer to classify things much more broadly,” he says.
“It’s really important while being honest and transparent in providing solid communications, that it has to be based on facts, hard evidence and not assumptions. Don’t say things you don’t know. That’s where you lose trust.” Joseph Carson
Carson, Honan and Martin agree that many organisations struggle to manage data breaches or cybersecurity incidents. Royal Mail is not an outlier. “I’ve been working in security a long time, and I’ve seen a lot worse,” Carson says.
Security commentators reading between the lines of Royal Mail’s more recent statements found other reasons to be optimistic. “Bravo to Royal Mail implementing ‘operational workarounds’ indicating they are not paying the ransom but rather recovering their systems per their DR [disaster recovery] plan,” says Lee Neely, senior IT and security professional at Lawrence Livermore National Laboratory.
So if Royal Mail isn’t guilty of the worst incident response ever, who is? That dubious honour probably goes to TalkTalk, whose then-CEO toured TV and radio studios armed with an exceptionally poor grasp of the facts about the company’s data breach.
Proper preparation prevents…
So what can organisations do to avoid becoming the next social media cause célèbre for all the wrong reasons? Start by changing how they think about cyber incidents. “Senior management in many organisations still see cybersecurity as an IT issue, not a business risk. We have seen organisations where senior management and the board have been caught like rabbits in the headlights because they don’t know what to do,” Honan says.
Developing good relationships with suppliers can mean they’re willing to pitch in and help during a crisis. Carson also advises setting up retainers with experts in incident response. “That expertise goes a long way to help you mitigate and gain control as quickly as possible. It makes a big difference so your staff can focus on the business while they’re focused on the investigation,” he says.
Organisations that invest in cyber insurance have the added benefit of an incident response team ready to hit the ground running in the event of an incident, with a specialist team that exists to give organisations advice and options – including whether to pay the ransom.
Professor Martin urges businesses to practice their incident response plan ahead of time. “You don’t want to be finding out who’s good in a crisis, in a crisis. It is enormously helpful to tease out things that you might not think of, that appear obvious in retrospect,” he says.
These exercises can be really simple, Prof Martin says, and they should be based on scenarios that are realistic, straightforward and likely to happen. “Most of us will not be involved in situations that meet the threshold for Hollywood movies, but most of us will have someone close to us who will have suffered some form of cyber harm. Rehearse the bits you’re likely to face, not the bits you’ll be watching Ryan Reynolds running around, trying to fight,” he says.
Carson likens these simulations to fire drills and health and safety plans: they need to become part of a company’s operations. “Many organisations are so reliant today on digital technology. They can only be resilient by having alternatives and plans for when that technology is no longer available.”
Brian Honan says the mood music around security incidents has changed, and companies no longer need to adopt a strategy of hoping it all blows over. “By dealing with the breach in a proactive and assertive and positive way, with good, concise and clear communication to all affected parties, you can actually gain people’s trust, to a point where they say ‘yes they had a breach, but they dealt with it well.’”
Three critical considerations for incident response preparation:
Establish who’s in charge during an incident and how to contact them (assuming email is down)? Where are those response numbers saved?
Understand which systems are in place to tell you what’s going on, so you can assess the impact without delay
Identify which parties you need to manage in case of an incident, i.e. customers, regulators, or media.