Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A threat actor has claimed a data breach of the British Royal Mail, the UK’s national postal service.
In a post to a popular hacking forum, a threat actor going by the moniker “GHNA” claimed to have breached the Royal Mail Group, exfiltrating 16,549 files totalling 144GB of data.
According to the post, the breach was “courtesy” of a company called Spectos, a German data collection, analysis and operations firm.
“In March 2025, Royal Mail Group, an established brand with more than 500 years of history, beginning as a postal service exclusively for the King and his Court, suffered a data breach which exposed PII of customers, confidential documents, internal Zoom meeting video recordings between Spectos and Royal Mail Group,” said the threat actor.
Other data included delivery and post office location datasets, Mailchimp mailing lists, a WordPress SQL database for mailagents.uk “and more”.
The threat actor also posted a sample of the data, which includes alleged names, full home/postal addresses, company names, phone numbers, and even a screenshot of a planning meeting allegedly between the Royal Mail Group and Spectos.
Speaking to Cyber Daily, The Royal Mail confirmed the breach but added that it was Spectos network that was accessed.
In the latest leak, GHNA suggests that this is not the first time that Royal Mail data had been leaked as a result of Spectos.
While Cyber Daily has not been able to identify a previous breach resulting from Spectos, another threat actor listed the Royal Mail on the same hacking forum in October.
Infamous leaker “888” listed the postal service, saying the company “suffered a small data breach which includes over 100 files with a total of 2,698 rows of data”.
However, they say that the breach did not occur directly through Royal Mail and that they lost access quickly, preventing a full exfiltration of data.
In 2023, the Royal Mail suffered a ransomware attack at the hands of the LockBit ransomware group.
While LockBit listed the leak as belonging to Royal Mail and set a ransom demand of roughly AU$114.5 million (£65.7 million), only 0.5 per cent of its annual revenue, the data actually belonged to the Royal Mail International, which had a much smaller annual revenue of £800 million and was suffering financial issues at the time.
LockBit initially refuted these claims, to which Royal Mail responded saying that it would never pay the “absurd” ransomware demand.
“Under no circumstances will we pay you the absurd amount of money you have demanded,” said Royal Mail in the transcript.
“We have repeatedly tried to explain to you [that] we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us.
“This is an amount that could never be taken seriously by our board.”
LockBit invited Royal Mail to provide counteroffers, invitations which the British institution ignored.
On 1 February 2023, LockBit lowered its demand to roughly AU$100 million (£57.4 million). Two days later, on 3 February, Royal Mail negotiators took the new demand to its board, leaving LockBit to wait for a response.
However, the chat log leaked by LockBit suggests that the Royal Mail never intended to pay ransom.
“You are a very clever negotiator, I appreciate your experiencing in stalling and bamboozling, when you are trying to deceive you need to provide evidence for greater credibility, only a fool would believe in the honest word of a lawyer defending his client,” said LockBit during negotiations.
Update - 02/04/2025: The Royal Mail Group confirmed the cyber attack with Cyber Daily, adding that its own network was not breached, but that Spectos systems were accessed by threat actors.
Be the first to hear the latest developments in the cyber industry.
